The First Windows 7 Zero-Day Exploit 289
xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."
Why are ports 139 and 445 still open? (Score:5, Interesting)
I remember once trying to see what it takes to make Windows not have any ports open and it resulted in severely reduced access to just about anything that wasn't local. Why is it that these ports are necessary? Why is NETBIOS necessary?
Secured by Default (Score:5, Interesting)
Public networks have all inbound ports blocked by default. Changing a network type to anything other than public requires admin rights, so this would have to be an internal DOS attack realistically.
I have to ask (Score:3, Interesting)
In my ignorance, I have to ask: What's so special about 139 and 445? What do they do normally, and why would blocking them help? No, I didn't RTFA. I'm too tired for this :P
Re:Ball kicking time (Score:2, Interesting)
People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem. Maybe the person who was supposed to write the input protection piece forgot to do it because of a miscommunication. (one of the downsides of working on a project where the job is split between thousands of developers)
Given that Windows has more lines of code than just about any other software in existence, it's actually fairly impressive how well it holds up the majority of the time.
Re:Ball kicking time (Score:4, Interesting)
Why is that?
Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.
Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.
That will be some code review (Score:3, Interesting)
I hate Microsoft with the best of them, but give their software engineers credit where it's due: how often have you delivered completely bugfree networking software?
Zero day (Score:3, Interesting)
Re:Ball kicking time (Score:3, Interesting)
assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking
It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met. In the putative scenario of a loop coder thinking he was protected by input protection located somewhere else, the assert would only fire if the right test case was constructed. For all we know there is an assert in the code, but it won't help us in a release build.
I'm used to it (Score:2, Interesting)
This god damned code of windows sharing keeps bugging us for years! I've been 10 years net admin at a university with over 25K connected computers, and as long as I remember, port 445 and 139, 137 are always the target!
How bad a code can be??????
Does this affect Samba (Score:3, Interesting)
and the Linux Kernel SMB support? If it does, we've got a major problem as they now have a method of taking a whole batch of sites down.
Re:How is this zero-day? (Score:2, Interesting)
Re:Why are ports 139 and 445 still open? (Score:3, Interesting)
I don't have your problem, and never have had. When I have DNS working and windows set to go to DNS for netbios name resolution, then everything works OK. What I *do* have now is that GNOME VFS will refuse to connect to a server on the first attempt (and fails quickly) but works immediately on the second. I wonder if that's related somehow.
Re:Ball kicking time (Score:3, Interesting)
C99 specification says that defining a NDEBUG symbol can be used to prevent compiling the assert() into the program. That means it is not a debug option, and should normally be present even in release code unless specifically disabled. Far far better for the program to fail with a meaningful error that the development team can track than allow program code to hang just frustrating the user who doesn't know anything..