The First Windows 7 Zero-Day Exploit

xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."

Why are ports 139 and 445 still open?

[concernedadmin]

I remember once trying to see what it takes to make Windows not have any ports open and it resulted in severely reduced access to just about anything that wasn't local. Why is it that these ports are necessary? Why is NETBIOS necessary?

Secured by Default

[Toreo asesino]

Public networks have all inbound ports blocked by default. Changing a network type to anything other than public requires admin rights, so this would have to be an internal DOS attack realistically.

I have to ask

[NoobixCube]

In my ignorance, I have to ask: What's so special about 139 and 445? What do they do normally, and why would blocking them help? No, I didn't RTFA. I'm too tired for this :P

Re:Ball kicking time

[ShooterNeo]

People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem. Maybe the person who was supposed to write the input protection piece forgot to do it because of a miscommunication. (one of the downsides of working on a project where the job is split between thousands of developers)

Given that Windows has more lines of code than just about any other software in existence, it's actually fairly impressive how well it holds up the majority of the time.

Re:Ball kicking time

[ozmanjusri]

Given that Windows has more lines of code than just about any other software in existence

Why is that?

Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.

Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.

That will be some code review

[Kupfernigk]

"Under all conditions" for a piece of complex code is often far from easy. I am still smarting from a problem we had recently (not a vulnerability) where the system was sporadically failing to output messages, a problem never seen before. Unit testing was no good. We spent a week reviewing the code: found a bug, fixed it. Now there were fewer sporadic missed messages, but the number was nonzero. We used a simulator to test under every condition we could think of: no errors. Back on customer site, missed messages. It turned out there was a tiny corner case in an algorithm that was being occasionally triggered by two devices on the network that had a firmware error.

I hate Microsoft with the best of them, but give their software engineers credit where it's due: how often have you delivered completely bugfree networking software?

Zero day

[Jeremy Visser]

Well, this may be the first "zero day" exploit, but this one [seclists.org] ("Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.") was around for much longer, and it's truly amazing that it still works on a majority of machines I try it out [dereenigne.com] on.

Re:Ball kicking time

[clodney]

People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem.

assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met. In the putative scenario of a loop coder thinking he was protected by input protection located somewhere else, the assert would only fire if the right test case was constructed. For all we know there is an assert in the code, but it won't help us in a release build.

I'm used to it

[dogganos]

This god damned code of windows sharing keeps bugging us for years! I've been 10 years net admin at a university with over 25K connected computers, and as long as I remember, port 445 and 139, 137 are always the target!
How bad a code can be??????

Does this affect Samba

[fast turtle]

and the Linux Kernel SMB support? If it does, we've got a major problem as they now have a method of taking a whole batch of sites down.

Re:How is this zero-day?

[DMiax]

Better than the OP's definition, but not correct. Zero-day means that at the time of the exploit no machine can have the fix already installed. They are different from the reverse-engineered bugs which are ineffective against properly updated software (i.e. when the admin does not suck).

Re:Why are ports 139 and 445 still open?

[drinkypoo]

I don't have your problem, and never have had. When I have DNS working and windows set to go to DNS for netbios name resolution, then everything works OK. What I *do* have now is that GNOME VFS will refuse to connect to a server on the first attempt (and fails quickly) but works immediately on the second. I wonder if that's related somehow.

Re:Ball kicking time

[Plunky]

assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met.

C99 specification says that defining a NDEBUG symbol can be used to prevent compiling the assert() into the program. That means it is not a debug option, and should normally be present even in release code unless specifically disabled. Far far better for the program to fail with a meaningful error that the development team can track than allow program code to hang just frustrating the user who doesn't know anything..