Windows 7 SMB exploit confirmed

 

Gallery

Posted on 16 Nov 2009 at 11:39

Microsoft has confirmed the existence of an exploitable bug, exposed last week by Canadian researcher Laurent Gaffie on the Full Disclosure mailing list and on his own blog.

The exploit causes a kernel crash. This freezes an affected Windows 7 or Server 2008 R2 system, requiring a hard reboot. However, it appears that it can't be used to directly harm a system in any other way.

Microsoft has issued a security advisory recommending that users "block TCP ports 139 and 445 at the firewall" and "block all SMB communications to and from the internet" - the latter is part of the default Windows firewall configuration. The advisory also indicated the Redmond giant's displeasure with Gaffie's public announcement of the vulnerability, stating that "Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed". The advisory does not include any details of when a patch will be released.

The exploit code takes advantage of a bug in the way Windows 7 and Server 2008 R2 implement the Server Message Block (SMB) network protocol - the basis of Windows File Sharing, causing a remote kernel crash and freezing the PC. A crash of this sort would be unlikely to do any more than irritate the average home user, but it could have more impact on, for example, a small business that used an unattended Server 2008 machine to handle orders.

According to Gaffie's vulnerability report, the bug can theoretically be triggered from outside the local network via a browser - he writes: "what ever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting nbns tricks (no user interaction) How funny."

Microsoft confirms that it could be exploited remotely, saying that "an attacker would have to host a Web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user. This response would cause the user's system to stop responding until manually restarted."

Fortunately, it's unlikely that any system would be configured to make it vulnerable to this threat from outside the local network, thanks to the default Windows Firewall settings. Although this isn't a major exploit, the publicity it has attracted comes as a minor blow to confidence in Microsoft's latest operating system.

Author: Kat Orphanides