Broadband Tech > Security > Security > Vista, Win7, Server 2008 BSOD Exploit

Vista, Win7, Server 2008 BSOD Exploit

said by John Leyden :

---

Post-Vista Windows flaw creates Blue Screen risk

Miscreants have created an exploit capable of crashing Windows boxes and triggering the infamous Blue Screen of Death.

The attack relies on exploiting an unpatched vulnerability in Microsoft's implementation of SMB2 (Server Message Block), a network protocol involved in the sharing of files and printers on a network.

Windows 2000/XP are not affected by the exploit, but newer flavours of Windows 7, Vista and Server 2008 are all at risk. Proof-of-concept code demonstrating the vulnerability was published on Monday.

Attacks based on he flaw could cause all sorts of trouble in corporate environments, in particular. Fortunately, basic firewall defences are enough to dampen the threat, according to a preliminary assessment of the problem by security researchers at the Internet Storm Centre (ISC).

"The exploit needs no authentication, only file sharing enabled with one packet to create a BSOD [Blue Screen of Death]," ISC researchers warn. "We recommend filtering access to port TCP 445 with a firewall."

Five Windows specific critical patches are due out later on Tuesday. It's rather unlikely that any will plug the new BSOD vuln. Past form indicates that the release was timed to outflank Microsoft's security gnomes and provide for the maximum exploit period.

---

Windows Firewall is enabled by default, so the exploit can't work from remote.

reply to SUMware
Sample code works perfectly, takes down a Server 2008 file server in seconds.
--
Obamanomics: Trickle-up poverty.

reply to matunga

reply to Cabal
What good is a file server with blocked filesharing ports?
--
standard disclaimers apply.

reply to SUMware

BSOD Exploit - also a RemoteExec exploit.

reply to SUMware

Re: Vista, Win7, Server 2008 BSOD Exploit

quote:

---

Microsoft has promised to patch a serious flaw in newer versions of its Windows operating system after hackers released exploit code that allows them to take complete control of the underlying machines.

The flaw, which affects various versions of Windows Vista, 2008, and the release candidate version of Windows 7, resides in the implementation of a network file sharing technology known as SMB, or server message block. The bug, which fails to adequately parse network negotiation requests, was previously believed only to generate a debilitating blue screen of death, but on Tuesday, Microsoft confirmed in some cases it could also be used to remotely execute malicious code on vulnerable machines.

The revelation shows that Microsoft's recent efforts to harden its software against attack only go so far. Despite building Windows Vista and 2008 from scratch and subjecting them to rigorous code reviews, the critical bug managed to escape notice. Even worse, security reviewers in Redmond managed to purge the bug from the final version of Windows 7, but allowed other Windows versions to remain vulnerable.

---

quote:

---

Microsoft has issued a formal security advisory in response to the latest flaw discovered within its Windows operating systems, shedding a bit of light on the issue. According to CNET, Microsoft believes that the flaw will not cause any problems for Windows 7 users, and instead only for those on Windows Vista and Windows Server 2008 (not Server 2008 R2, though).

The advisory, found here, stated the following: Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

---

So let me get this straight, Windows 7 RTM isn't vulnerable?
--
Tom

said by trparky

quote:

---

So let me get this straight, Windows 7 RTM isn't vulnerable?

---

quote:

---

To be fair, most attempts to exploit the bug will result in a simple crash of the machine, according to an advisory Microsoft published on Tuesday. What's more, the invulnerability of Windows 7 and Server 2008 R2 suggests Microsoft's security team is at least partially on top of the bug.

---

reply to SUMware

Old patch introduced SMBv2 flaw, says finder

quote:

---

In December 2007, Microsoft patched the file- and printer-sharing functionality in Windows Vista to fix a medium-severity vulnerability. Unfortunately, the company inadvertently added a critical flaw, a security researcher said on Friday.

In an e-mail interview with SecurityFocus, Laurent Gaffié -- the researcher that disclosed a critical flaw in Microsoft's Server Message Block (SMB) version 2 code earlier this week -- said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft.

"The only thing I know regarding this 'patching' process is, when they fixed this code, they opened another bigger, worse security issue," Gaffié said in the e-mail interview.

Microsoft denied the claim in a statement issued to SecurityFocus on Friday.

"We researched this claim by the researcher and confirmed this vulnerability was not introduced by MS07-063," Christopher Budd, security response communications lead for Microsoft, said in a statement.

On Monday, Gaffié posted some details of the flaw to his blog. He labeled the issue a crash bug, a problem frequently referred to as the "Blue Screen of Death," or BSOD, because Windows displays a blue screen with an error message when it crashes. Microsoft acknowledged the vulnerability and also confirmed other researchers' reports that the issue could allow a system to be compromised by an attacker.

Security firms warned that the issue could be used as a propagation vector by a network worm.

The vulnerability affects Windows Vista, pre-R2 versions of Windows Server 2008, and earlier versions of Windows 7, Microsoft's soon-to-be-released operating system. The version of Windows 7 released to manufacturers does not have the flaw, Microsoft said in its advisory.

Microsoft created its Trustworthy Computing Initiative to catch just this sort of issue. As part of the initiative, the company created its Secure Development Lifecycle, a method of creating software that exposes code to continuous review in hopes of eliminating software vulnerabilities before they affect Microsoft customers. Windows Vista is the first Microsoft operating system to be completely developed under the auspices of the program.

---