Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Windows Bug Technology

The First Windows 7 Zero-Day Exploit 289

xploraiswakco writes with the first Microsoft-confirmed Windows 7 zero-day vulnerability, with a demonstration exploit publicly available. The problem is in SMBv2 and SMBv1 and affects Windows 7 and Windows Server 2008 R2, but not Vista, XP, or Windows Server 2003. A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button. "Microsoft said it may patch the problem, but didn't spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of December 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall." Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445, too."
This discussion has been archived. No new comments can be posted.

The First Windows 7 Zero-Day Exploit

Comments Filter:
  • by Anonymous Coward on Monday November 16, 2009 @04:56AM (#30113394)

    What are my options? New computer?

  • by DNS-and-BIND ( 461968 ) on Monday November 16, 2009 @05:02AM (#30113408) Homepage
    The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday

    OK the exploit is almost a week old already. How is this "zero-day"? In the immortal words of Inigo Montoya: "You keep using that word. I do not think it means what you think it means."

    • Are you trolling? (Score:2, Informative)

      by Anonymous Coward

      The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog.

      Quote whole sentences...

      • by Jurily ( 900488 )

        That still doesn't make it a zero-day. Zero-days appear in the wild on the day of release.

        • by MrNaz ( 730548 ) * on Monday November 16, 2009 @05:44AM (#30113582) Homepage

          So you're saying that it can only be described as zero day on that day, and thereafter it cannot be called a zero day exploit, but a n-day exploit where n is the number of days since it was announced?

          Sorry, but while you may be *lexically* correct, I think everyone with two brain cells that are on talking terms knows what is being referred to by a "zero day" exploit, even when referring to an exploit not released on that day.

          • Re: (Score:3, Informative)

            by dave562 ( 969951 )

            In the context of security exploits, zero day means that the patch is unavailable from the vendor. The original term zero day was stolen from the warez scene where "Zero Day is a state of freshness" (tm). In order for a warez release to be zero day it had to hit the site before it hit the store shelves. Usually that would mean that it came from Europe, or was released by someone who worked at the company putting the game out.

        • Re:Are you trolling? (Score:5, Informative)

          by DarkOx ( 621550 ) on Monday November 16, 2009 @06:58AM (#30113918) Journal

          I always thought that zero-day referred to the time between when an exploit was being used in the wild and the amount of time admins/endusers had to patch there systems.

          In the case of an exploit floating about in the wild where there has been no patch made available is a zero day because I have had zero days to patch my systems before the potential for easy exploitation.

      • The point of "zero-day" is that you have zero days to patch your system before exploits appear. For example, if the exploit was found by researching an existing exploit.

        If a security researcher found it, and it's not actually being exploited (yet), then it's not zero-day.

        It's not a difficult term, I'm not sure what the problem is here.

    • Re: (Score:3, Informative)

      by Yvanhoe ( 564877 )
      In my book "zero-day" means that the vulnerability and the first practical exploit were released the same day. "Zero-day" refers to the time the dev team had to correct the bug.
      • Re: (Score:2, Interesting)

        by DMiax ( 915735 )
        Better than the OP's definition, but not correct. Zero-day means that at the time of the exploit no machine can have the fix already installed. They are different from the reverse-engineered bugs which are ineffective against properly updated software (i.e. when the admin does not suck).
    • Re: (Score:3, Funny)

      by Ed Avis ( 5917 )

      'When I use a word,' Humpty Dumpty said, in rather a scornful tone, 'it means just what I choose it to mean -- neither more nor less.'

    • by PCM2 ( 4486 )

      Replying to undo an accidental moderation that didn't deserve it.

      Agreed that "zero day" has almost no meaning these days. Pretty bizarre when companies actually brag about their "zero day exploits" and promise a fix... several days from now?

      • The very idea of undoing your own powerful moderation use -- even if (especially if) you used it mistakenly is very un-slashdot of you. You're supposed to stay completely anonymous in your abusive mistake, and use those points to call all opinions you don't agree with either redundant or flamebait. Didn't you read the destructions the first time you got mod points?

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      A zero day exploit is an exploit that exists before the developers of the application are aware of the bug/flaw being exploited. It does not seem unreasonable to keep refering to it as a zero day exploit even after the details of the bug and exploit have been published, how else would you refer to it, e.g. "the exploit formerly known as zero day";

  • by concernedadmin ( 1054160 ) on Monday November 16, 2009 @05:02AM (#30113416)

    I remember once trying to see what it takes to make Windows not have any ports open and it resulted in severely reduced access to just about anything that wasn't local. Why is it that these ports are necessary? Why is NETBIOS necessary?

    • by ledow ( 319597 ) on Monday November 16, 2009 @05:10AM (#30113444) Homepage

      Even weirder - on a machine which isn't on a domain, but which has a software firewall, you can open *every* port to a destination machine (e.g. a fileserver) and it *will* access the SMB shares of that fileserver (\\ipaddress\c$ etc.) but takes forever the first time because the broadcasts have been blocked by the firewall. So it doesn't need the broadcasts, or to be on that domain, or to do anything that isn't direct IP with the target machine - but it still takes forever to realise that and just start listing files.

      And once you've done it once, that file sharing will run at full speed for the rest of the day. I'm imagining some sort of name resolution etc. issue (but the PC in question can actually use the same machine for DNS and still have the problem) but if it's not *required* to connect to the machine, why does it try anyway and hold everything up? And the firewall only ever reports NetBIOS traffic while that's happening.

      • Re: (Score:3, Interesting)

        by drinkypoo ( 153816 )

        I don't have your problem, and never have had. When I have DNS working and windows set to go to DNS for netbios name resolution, then everything works OK. What I *do* have now is that GNOME VFS will refuse to connect to a server on the first attempt (and fails quickly) but works immediately on the second. I wonder if that's related somehow.

    • Win 7 Firewall (Score:4, Informative)

      by carp3_noct3m ( 1185697 ) <`ten.edahs-sroirraw' `ta' `todhsals'> on Monday November 16, 2009 @05:42AM (#30113578)
      I decided that unlike Vista, I would beta Windows 7 and be ahead of the curve by the time it came out. I've been running it for roughly a year now (midnight snacktime is not condusive to memory) . Overall I am actually quite impressed (gasp! shoot me now). One thing I really like is the granular firewall abilities, which has clearly defined and seperate inbound/outbound rules. I currently have both set to a PIX style ACL type deny all except ports I explicitly state. Now this can be a pain to evaluate a new program to figure out which ports it needs open for proper function, but is definitely something that should be done ona group policy level at the domain, just because you have a supertight internet facing firewall, you still need to prevent LAN and VPN security issues as well.
      • by Kjella ( 173770 )

        Overall I am actually quite impressed (gasp! shoot me now).

        I think you're in good company. I just recently saw a poll on a site I visit with about 3600 votes on what OS they were running:

        Win 7: 47%
        XP: 23%
        Vista: 11%
        Mac: 10%
        Linux: 8%

        Yeah I know not exactly representative... but at least among Windows users I'd say early adopters, and clearly Windows 7 is a hit. It's completely killed Vista, and even those coming from XP seem happy. I think you can push the "Year of the Linux desktop" back another few years, I'm happy on Linux but any window Vista gave it has closed.

    • by WD ( 96061 ) on Monday November 16, 2009 @07:51AM (#30114230)

      The article and summary are not clear, but you need to block *outoing* ports 139 and 445 at the firewall to help protect against this issue. The vulnerability is triggered by the system attempting to make an SMB connection to a malicious server. This can happen in a number of ways, such as viewing a web page in IE or viewing an email message in Outlook or Outlook Express.

      If your firewall blocks outgoing 139 and 445, then the SMB connection attempt fails.

  • Ball kicking time (Score:5, Insightful)

    by Rogerborg ( 306625 ) on Monday November 16, 2009 @05:03AM (#30113422) Homepage

    Don't they do code reviews at Microsoft? Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.

    Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.

    • Re: (Score:2, Interesting)

      by ShooterNeo ( 555040 )

      People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem. Maybe the person who was supposed to write the input protection piece forgot to do it because of a miscommunication. (one of the downsides of working on a project where the job is split between thousands of developers)

      Given that Windows has more lines of code than just about any other software in existence, it's actually fairly impressive how well it h

      • Re:Ball kicking time (Score:4, Interesting)

        by ozmanjusri ( 601766 ) <aussie_bob@ho[ ]il.com ['tma' in gap]> on Monday November 16, 2009 @06:39AM (#30113818) Journal
        Given that Windows has more lines of code than just about any other software in existence

        Why is that?

        Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.

        Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.

        • Re: (Score:2, Funny)

          by nstlgc ( 945418 )
          But nobody actually uses ReactOS!
        • Maybe it needs to be this complex, maybe it doesn't. Fact is, the majority of the desktop apps in the world are still run using a variant of windows, and for the moment it does not look like that fact is going to ever change.

          Microsoft cannot remove much code and maintain compatibility with legacy apps.

          Well, they COULD, but using emulation....

        • You don't need ReactOS to prove your point - the difference between Vista and XP is enough. The number of background applications run as services exploded in Vista... and as a nice side effect, it's nearly impossible, even with Process Explorer, to see what is slowing down your machine.

          Usually it's disk I/O from background processes like antivirus, windows update (anyting MSI related seems to totaly hog the system), or file indexing. But lots of the time it's just one of 10 services.exe or svchost.exe ent

        • Given that Windows has more lines of code than just about any other software in existence

          Why is that?

          Does an OS really need to be so complicated? ReactOS, for example, provides a significant proportion of the functionality of Windows in a fraction of the size.

          Surely fewer lines of code mean a smaller attack surface for exploits and vulnerabilities.

          given that Linus thinks Linux has gotten bloated, is indicative that it is a natural decay that is incumbent to modern desktop OSes. Not that it is necessary, but due to the scope and size of modern Desktop Oses, it is a natural side-effect, that once aware of can be combatted in OSes that are run by dedicated volunteers, but unlikely in any commercial OSes. I agree that given the development environment Windows holds up well. It's just the wrong development environment.
          Long live FOSS, the right developme

      • by Plunky ( 929104 )

        People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem.

        assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

        • Re: (Score:3, Interesting)

          by clodney ( 778910 )

          People make mistakes. Perhaps the coders of the loop thought that input protection located in code elsewhere would prevent this from ever being a problem.

          assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

          It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met. In the putative scenario of a loop coder thinking he was protected by input protection located somewhere else, the assert would only fire if the right test case was constructed. For all we know there is an assert in the code, but it won't help us in a release build.

          • Re: (Score:3, Interesting)

            by Plunky ( 929104 )

            assert() for that on entry to the function and it becomes immediately clear when your assumptions about elsewhere were lacking

            It will assert on entry of course, but only in a debug build, and only when the proper input conditions are met.

            C99 specification says that defining a NDEBUG symbol can be used to prevent compiling the assert() into the program. That means it is not a debug option, and should normally be present even in release code unless specifically disabled. Far far better for the program to fail

      • Do you sell used cars or something? Nothing personal, but that's a rather self-defeating argument for something you don't seem to have much faith in.
      • by Shotgun ( 30919 )

        People make mistakes. A company that has produced some of the richest people in the world and has extracted billions of dollars from the world's economy should have some processes in place to insure that bugs found years ago do not creep back in. It's called regression testing.

    • Re:Ball kicking time (Score:4, Informative)

      by 1s44c ( 552956 ) on Monday November 16, 2009 @06:37AM (#30113796)

      Seriously, that's the difference between a hacker and a software engineer right there. If you don't take the time to fix it early, you'll just have to fix it later.

      The Microsoft approach is to collect the money and get their customers to agree that everything that goes wrong is their fault. It's at least as good protection for them as writing decent code and many times cheaper.

    • "Under all conditions" for a piece of complex code is often far from easy. I am still smarting from a problem we had recently (not a vulnerability) where the system was sporadically failing to output messages, a problem never seen before. Unit testing was no good. We spent a week reviewing the code: found a bug, fixed it. Now there were fewer sporadic missed messages, but the number was nonzero. We used a simulator to test under every condition we could think of: no errors. Back on customer site, missed mes
    • by DrXym ( 126579 )
      Don't they do code reviews at Microsoft? Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.

      Every OS in existence has received patches. OS X, Windows, Linux, Unix, BSD (even OpenBSD). Ubuntu Linux 9.10 has been out less than a month and I've already been received 90 odd patches and it still has a critical ext4 file corruption bug.

      I expect that even if MS rigorously tested the code (and I expect they did), used code coverage tools to ensure good quali


    • Loops 101: prove that the loop terminates under all conditions

      That one's gonna prove to be just a little difficult [wikipedia.org].
    • Re: (Score:3, Informative)

      by Blakey Rat ( 99501 )

      Don't they do code reviews at Microsoft?

      Yes they do.

      Loops 101: prove that the loop terminates under all conditions, even and especially when passed garbage.

      "Terminates under all conditions" is a little difficult to prove in any non-trivial situation.

      Seriously, that's the difference between a hacker and a software engineer right there.

      The former bitches and moans on Slashdot, and Microsoft hires the latter?

      If you don't take the time to fix it early, you'll just have to fix it later.

      Maybe you should send Micr

  • by Anonymous Coward on Monday November 16, 2009 @05:04AM (#30113424)

    No remote code execution? Boring. Let's see if some people out there could weaponize it and throw it into a metasploit module. Then it's interesting.

  • by EMN13 ( 11493 ) on Monday November 16, 2009 @05:06AM (#30113428) Homepage

    From the article:
      "Instead, the company suggested users block TCP ports 139 and 445 at the firewall. Doing so, however, would disable browsers as well as a host of critical services, including network file-sharing and IT group policies."

    Good to know that blocking ports 139 and 445 will block browsers, we wouldn't want people actually doing that, after all!

  • Secured by Default (Score:5, Interesting)

    by Toreo asesino ( 951231 ) on Monday November 16, 2009 @05:07AM (#30113430) Journal

    Public networks have all inbound ports blocked by default. Changing a network type to anything other than public requires admin rights, so this would have to be an internal DOS attack realistically.

    • by Malc ( 1751 )

      Yeah, I was wondering which firewall was being referred to: at the network level, or at the machine (i.e. Windows firewall) level? Would doing at the machine level make it hard for others to access shared folders? It seems these days that most of the computer issues (viruses, trojans, etc) have come from other machines on the corporate network, so a network level firewall is only have the story.

    • by sam0737 ( 648914 )

      Even for Home or Work / Domain profile, the default for "Network discovery" may be on, but "File and printer sharing" is off.

      (I could be wrong because it could be my company's group policy turned it off...someone could cross check)

    • so this would have to be an internal DOS attack realistically.

      Just the thing you need if you don't like your IT staff and they've just rolled out a Windows Server 2008 box...

    • Comment removed based on user account deletion
  • by DigitalReverend ( 901909 ) on Monday November 16, 2009 @05:12AM (#30113450)
    The summary states "A maliciously crafted URI could hard-crash affected machines beyond any remedy besides pushing the white button."

    I checked all the Windows machines here. None of them have a white button on them anywhere. What does this mean? Does the poster just mean powering the machine off and then on again?

    Too many times on Slashdot, when people should be informative, they obfuscate the information it in failed attempts at being clever.
    • I don't have Windows 7, but maybe its some UI component?
      • by Tim C ( 15259 )

        No - no white button in Win 7, and even if there were, if the machine has locked-up a UI component wouldn't do much good.

        GP is correct, the submitter is trying to be clever.

    • Re: (Score:2, Funny)

      by Hamsterdan ( 815291 )
      The only white button here is the buzzer on my front door. But I don't see how ringing the bell will solve that problem.
    • by Linker3000 ( 626634 ) on Monday November 16, 2009 @06:09AM (#30113692) Journal

      #3043-001 USB White Button Kit........34.99 + Shipping

      Ideal for computers not shipped by the manufacturer with a White Button pre-installed.

      A White Button is essential for all Windows Users. Upon a system failure, Denial of Service attack or crash, pressing the White Button releases a scientifically-formulated, airborne scent of soothing essential oil fragrances, including: Verbena, Sweet Orange, Roman Camomile and Ylang Ylag.

      At the same time, one of a number of pre-programmed actions are triggered while you listen to a random selection of 10 relaxing 'mood music' tracks.

      Basic actions include:

      1) Reboot
      2) Call my IT Support department
      3) Call the manufacturer's support department and cancel my evening dinner arrangements
      4) Reinstall current OS
      5) Reinstall current OS after backing up all user data
      6) Wipe and install CentOS
      7) Wipe and install Ubuntu
      8) Order me a Mac
      9) Order me a Big Mac, fries and a Coke

      Secondary actions can also be triggered from:

      A) Call Microsoft HQ every 'x' minutes and shout 'Fuck it' down the line.
      B) Post my CV to Linux-only job sites
      C) Rub my shoulders (Requires optional add-on #RS01)
      D) Dial local suicide help line

      A deluxe version of this item is available (#3043-002, 139.99 + Shipping). This model includes an external 10" LCD panel that can display random pages from a number of Web sites (slashdot.org, fark.com, silicon.com, cloudappreciationsociety.org and todaysbigfail.com)

      Extras and consumables:

      * #3043-S01 Replacement aromatherapy scent cartridge - pack of 12
      * #3043-S02 Replacement mustard gas scent cartridge sold singly, no returns
      * #3043-M01 Extended play music ROM - an extra 4 hours of music (for Dell Support customers)
      * #3043-P01 Enlarged White Button with face of Steve Ballmer on top. Comes complete with real wood mini hammer and elastic band-powered mini crossbox with safe-tip(TM) arrows (pack of 12 buttons)

  • by Sockatume ( 732728 ) on Monday November 16, 2009 @05:14AM (#30113460)

    A maliciously crafted URI could hard-crash affected machines beyond any remedy

    Oh no! A PC-killer!

    besides pushing the white button

    A reboot? Well, it's an unorthodox and extreme solution to a machine crashing, we'll have a hard time convincing Windows users to do that.

    • by Spad ( 470073 )

      The point is that it requires a hard reboot; the machine becomes unresponsive and doesn't throw a BSOD so you can't restart it with a three finger salute.

    • by Skapare ( 16644 )

      Any bets on whether the reset button will wear out before the 'D' key?

  • I have to ask (Score:3, Interesting)

    by NoobixCube ( 1133473 ) on Monday November 16, 2009 @05:16AM (#30113470) Journal

    In my ignorance, I have to ask: What's so special about 139 and 445? What do they do normally, and why would blocking them help? No, I didn't RTFA. I'm too tired for this :P

  • by Skapare ( 16644 ) on Monday November 16, 2009 @05:41AM (#30113574) Homepage

    ... they're all black ... you insensitive clod.

  • Comment removed based on user account deletion
    • Re: (Score:2, Informative)

      I didn't either. The common term was always Big Red Switch. This white button thing has really brought out the trolls, I can't blame them. It doesn't half wind me up that these people have a job and that having a brain disqualifies people from employment these days, God thinking is such a bad thing in the workplace today!!! They'd rather we lolcat the day away and show them nice performace statistics than actually make money for the firm to protect all our incomes. Pride and ego before logic and common sens
  • by Shag ( 3737 ) on Monday November 16, 2009 @06:11AM (#30113694) Journal

    Mine turned out to be maliciously crafted.

  • Firewall wont help. (Score:3, Informative)

    by miffo.swe ( 547642 ) <{daniel.hedblom} {at} {gmail.com}> on Monday November 16, 2009 @07:16AM (#30114020) Homepage Journal

    Since the exploit is possible without any user interaction all it takes to bring down a corporate network is one single machine running the xploit locally. A simple broadcast and every machine running w2kr2 or Vista7 will be dead until someone pulls the plug.

    Im also very surprised that Micorosft didnt audit the code properly after the last hole. You would think that the former xploit would ring a couple of bells since it was big enough for a truck to run through. Im beginning to suspect all the talk about SDL, reviews and stuff are nothing but PR.

  • Zero day (Score:3, Interesting)

    by Jeremy Visser ( 1205626 ) on Monday November 16, 2009 @07:23AM (#30114064) Homepage
    Well, this may be the first "zero day" exploit, but this one [seclists.org] ("Windows Vista/7 : SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote B.S.O.D.") was around for much longer, and it's truly amazing that it still works on a majority of machines I try it out [dereenigne.com] on.
  • by jimicus ( 737525 ) on Monday November 16, 2009 @07:28AM (#30114102)

    "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too."

    I respectfully disagree.

    Any IT staff worth their pay packet should have EVERYTHING blocked at the firewall, then open holes for things that you can be certain you need. Ideally, those holes don't go direct to systems on the company LAN but instead to a DMZ.

    • by WD ( 96061 )

      The article left out the word "outbound". If you block everything (outbound) at the firewall, you are going to have some unhappy staff.

      • by Barny ( 103770 )

        Wait, if your blocking everything inbound, and now we need to block everything outbound....

        I will sell you my new "loose wire" protection system, it stops ALL remote exploits and costs just $11.99 a month (per seat) to implement!

  • ...but what about home users?

    This reminds me of the days of "winnuke" and blue screening IRC users back in the dialup days. Port 139 is probably already blocked at the firewall on even most of the most trivial configurations. But attack vectors aren't always direct. At times attacks are relayed through a malware infected machine giving a remote attacker local, "behind the router/firewall" access to all the other machines on the network.

  • This was my idea.

  • I'm used to it (Score:2, Interesting)

    by dogganos ( 901230 )

    This god damned code of windows sharing keeps bugging us for years! I've been 10 years net admin at a university with over 25K connected computers, and as long as I remember, port 445 and 139, 137 are always the target!
    How bad a code can be??????

  • IT staff? (Score:4, Insightful)

    by Shotgun ( 30919 ) on Monday November 16, 2009 @08:46AM (#30114548)

    Reader xploraiswakco adds, "As important as this the mentioned article is, it should also be pointed out that any IT staff worth their pay packet should already have port 139 blocked at the firewall, and probably port 445. too."

    The reader xploraiswakco needs to pull his head out of that dark place and realize that my wife doesn't have an IT staff (I refuse to do Windows). I would even dare to say that most people don't have an IT staff at home. It's a stretch, I know, But I'm the kind of guy that takes chances like that.

    Does reader xploraiswakco carry an IT staff with him in case he needs to use a wifi hotspot some place?

  • Yet again ... (Score:3, Informative)

    by daveime ( 1253762 ) on Monday November 16, 2009 @09:07AM (#30114708)

    From NT, XP, Vista, Windows 7 ...

    When are they going to learn that EVERY port from 0 - 65535 should be disabled by default, and only enabled if the user chooses ?

  • by fast turtle ( 1118037 ) on Monday November 16, 2009 @09:16AM (#30114784) Journal

    and the Linux Kernel SMB support? If it does, we've got a major problem as they now have a method of taking a whole batch of sites down.

Where there's a will, there's an Inheritance Tax.

Working...