Windows 7 SMB Flaw Gets Security Advisory from Microsoft

The end of last week wasn't so pleasant for Microsoft since a new denial-of-service vulnerability has been reported in the Server Message Block (SMB) protocol in Windows 7 or Windows Server 2008 R2, both 32-bit and 64-bit platforms.

The Windows 7 SMB flaw was misreported as a 'zero day exploit' and later acknowledged as a security advisory. After users notified of this particular threat, Microsoft delivered a Security Advisory, which offers the necessary details about the scope and nature of a possible assault, and actions that can immediately be taken by users to assure the protection of their affected systems.

Reportedly, the SMB bug can be exploited by cyber criminals to remotely crash any computer running Windows 7 or Windows Server 2008 R2 but not result in any other type of damages. Microsoft has already certified that a functional exploit code has been made available for the disclosed vulnerability. However, currently they are not aware of any active attacks of this bug using the published exploit code in the wild. In the recently-released advisory, Microsoft has clarified that the outlined flaw is rather restricted in its possible effect; it can neither be used by the hacker to gain control of vulnerable systems nor to install malicious software.

The advisory rebukes the researcher, Laurent Gaffié, for revealing the vulnerability with exploit code before Microsoft had an opportunity to fix it. Microsoft also says that this vulnerability isn't related to MS09-050, a 'Vulnerability in SMBv2 Could Allow Remote Code Execution', which is another flaw in Windows 7 issued by a researcher and patched in October. Microsoft says it does not yet know of any attacks against the flaw, but it has seen public and detailed exploit code that would result in a system to stop functioning or become not trustworthy. A patch for this is not yet available.

Microsoft is composing a security update which will fix this issue. Still, the earliest users can expect to see that update is possibly on Microsoft's Patch Tuesday for December, which isn't until December 8th. Meanwhile, there are some workarounds or extra steps users could perform to protect their computer systems against exploitation of this vulnerability. Users should block the primary SMB-protocol-specific TCP ports, that is, 139 and 445 at the standard firewall. The recommended action would help defend any exploits from outside of the network, it would also disable the ability to use certain functions and services through the firewall, such as Group Policy, Net Logon, and Computer Browser. Presently, the bug is only able to freeze the system, and after that, a manual restart is needed. Luckly, it does not enable the ability to run commands or install malware.

These functions and services should not be allowed across the firewall anyway. A VPN connection should be needed to give a safe, encrypted tunnel to access internal services and resources across the firewall. If a user uses a VPN connection, these functions would not be affected if the ports at the firewall are blocked. As this workaround would defend some exploits, Microsoft also granted that the bug can be exploited by hackers, not only by sending a malicious attack packet from another computer on the network but also by creating a malicious Web page and enticing users to click on a link to a shared file. Browsing the site could urge an affected system to make an SMB connection to an attacker-controlled server, which would crash the computer system. That method can be used to exploit the SMB flaw from any type of Web browser, not just Microsoft's Internet Explorer. The only recommendation for users is not to click on unidentified links in e-mails or instant messages, which is the normal recommendation for avoiding any type of computer parasite.