Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Windows Communications Microsoft Operating Systems Privacy Software Technology

Zero-Day Windows Security Flaw Can Crash Systems, Cause BSODs (helpnetsecurity.com) 64

Orome1 quotes a report from Help Net Security: A zero-day bug affecting Windows 10, 8.1, Windows Server 2012 and 2016 can be exploited to crash a vulnerable system and possibly even to compromise it. It is a memory corruption bug in the handling of SMB traffic that could be easily exploited by forcing a Windows system to connect to a malicious SMB share. Tricking a user to connect to such a server should be an easy feat if clever social engineering is employed. The vulnerability was discovered by a researcher that goes by PythonResponder on Twitter, and who published proof-of-exploit code for it on GitHub on Wednesday. The researcher says that he shared knowledge of the flaw with Microsoft, and claims that "they had a patch ready 3 months ago but decided to push it back." Supposedly, the patch will be released next Tuesday. The PoC exploit has been tested by SANS ISC CTO Johannes Ullrich, and works on a fully patched Windows 10. "To be vulnerable, a client needs to support SMBv3, which was introduced in Windows 8 for clients and Windows 2012 on servers," he noted, and added that "it isn't clear if this is exploitable beyond a denial of service." Until a patch is released, administrators can prevent it from being exploited by blocking outbound SMB connections (TCP ports 139 and 445, UDP ports 137 and 138) from the local network to the WAN, as advised by CERT/CC. "The tweet originally announcing this issue stated that Windows 2012 and 2016 is vulnerable," the researcher said. "I tested it with a fully patched Windows 10, and it got an immediate blue screen of death."
This discussion has been archived. No new comments can be posted.

Zero-Day Windows Security Flaw Can Crash Systems, Cause BSODs

Comments Filter:
  • didn't they change it to a green screen?
  • Unless there's a PoC that demonstrates remote code execution, this isn't really newsworthy.
  • Ha! Joke's on you! I'm still running SMBv1 with NTLMv1!
  • sry, been drinkin' since noon. *grin* game on all and be safe.
  • Yet another reason, if we really *need* another, to quit using MS products. I used/supported MS products for 20 years as a sysadmin, but when I retired in 2010, I decided I was done with Windows on my personal systems. I had been dualbooting Win7 and Linux, but once I made the decision, I simply deleted the Win7 partition, and reinstalled grub. After 6 years of zero MS, I've not missed it a bit.. In fact, I'm forced to use Windows in a part-time volunteer support position with a local charity, and I find th

    • Yet another reason, if we really *need* another, to quit using MS products.
      [...]
      After seeing all of the multiple forms of abuse MS heaps on those who still use Windows...

      Hold your horses buddy! You can't just take my schadenfreude joy away! I mean, come on, not when the real suffering is just about to begin! ;)

  • If you have found someone stupid enough that you can socially engineer this way then you can get them to do something far worse without any need to exploit a bug. seems a pointless exploit at this point unless someone can work out a way to engineer a remote attack that doesn't involve user stupidity.
  • by duke_cheetah2003 ( 862933 ) on Friday February 03, 2017 @08:44PM (#53800177) Homepage

    Attacking SMB is retarded. SMB services should -never- ever be exposed to the internet, under any circumstances. Anyone who does expose SMB to the internet deserves to get hacked. Bury that crap in a VPN, use a firewall, and disregard this silliness.

    • Re:Stupid (Score:4, Informative)

      by Lord Crc ( 151920 ) on Friday February 03, 2017 @08:58PM (#53800233)

      SMB services should -never- ever be exposed to the internet, under any circumstances.

      If it's like the last SMB issue, then the issue is not that they send packets to an SMB server, but rather get the machine to connect (outbound) to a malicious SMB server, which replies with malicious packets.

      This can be done using standard phishing tricks.

      This is why one should block outbound SMB traffic as well.

      • This is why one should block outbound SMB traffic as well.

        As I said, firewall. Keep that junk contained to a intranet/VPN. SMB does not belong on the internet, in the clear at least.

        • This is why one should block outbound SMB traffic as well.

          As I said, firewall. Keep that junk contained to a intranet/VPN. SMB does not belong on the internet, in the clear at least.

          No Grandma ... look go to 192.168.1.1. No grandma in your browser ... no in Chrome type that in ... no go to firewall ...

        • by Anonymous Coward

          And that will prevent an attack from inside your network exactly how? Even if you disallow any foreign machines from attaching to your network, it only takes one connection to an existing compromised machine to spread. The only solution is to get rid of SMB network or fix the SMB stack.

          • by fisted ( 2295862 )

            Attacks from inside the network can typically be traced to one particular machine+user. Who's then getting fired and/or sued.

    • by Anonymous Coward
      It's not about exposing SMB services, it's about permitting SMB clients.
  • by Etcetera ( 14711 ) on Friday February 03, 2017 @09:01PM (#53800257) Homepage

    Regardless of whether they pushed it back or not, if they're planning to release next Tuesday then disclosing the hole with PoC exploit code is just irresponsible. You could have waited 5 more days.

    • Make sure your SMB is behind a firewall.
    • Regardless of whether they pushed it back or not, if they're planning to release next Tuesday then disclosing the hole with PoC exploit code is just irresponsible. You could have waited 5 more days.

      Probably because it will break a SHIT load of intranet and Sharepoint apps on corporate networks. Then the next headline on Slashdot is ... MS RELEASES EVIL UPDATE THAT RUINS CORPORATE NETWORKS ... then we see the negative comments here about updates etc.

      MS can not catch a break either way.

      Yes having SMB over TCP/IP sounds outright retarded. But many corporate apps on different subnets can not route SMB because of NetBie which is a non routable protocol layer 2 . So Sharepoint and VBScript encapsulate this

    • It depends on his motivations. He could be doing this to embarrass MS, but it may be that he's pressuring them to ensure that the patch gets released on Tuesday. He's been sitting on a 0-day for three months, so he could embarrass them at any time of his choosing. Why do it a few days before a patch Tuesday, i.e. when it will have the smallest impact?

  • " ... Windows ... Can Crash Systems, Cause BSODs " FTFY
  • by bheerssen ( 534014 ) <bheerssen@gmail.com> on Saturday February 04, 2017 @12:36AM (#53800879)
    I have an SMB server on my network and I think I just found a way to convince my family to switch to Linux.

You know you've landed gear-up when it takes full power to taxi.

Working...