On CBS.com: You a Race Fan?Play Amazing Race Fantasy
BNET Business Network:
BNET
TechRepublic
ZDNet

November 16th, 2009

Microsoft confirms 'detailed' Windows 7 exploit

Posted by Ryan Naraine @ 10:25 am

Categories: Arbitrary Code Execution, Browsers, Denial of Service (DoS), Exploit code, Microsoft, Passwords, Patch Watch, Punditocracy, Vulnerability research, Windows Vista

Tags: Denial Of Service, Web, Attacker, Vulnerability, Microsoft Corp., Web Site, Small And Medium Business, Microsoft Windows 7, Microsoft Windows, Smb/Sme

Microsoft has issued a security advisory to acknowledge a crippling denial-of-service flaw affecting its newest operating systems — Windows 7 and Windows Server 2008 R2.

Exploit code for the vulnerability was released by researcher Laurent Gaffié after failed attempts to get Microsoft’s security response center to acknowledge that this was an issue that needs to be patched (SEE UPDATE BELOW).

Following the publication of Gaffié’s exploit, Microsoft swiftly released Security Advisory 977544 with pre-patch mitigations and a confirmation that the “detailed” code could provide a roadmap for hackers to cause Windows 7 and Windows Server 2008 R2 systems to stop responding until manually restarted.

Here’s an explanation of the cause of the vulnerability:

The kernel in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers to cause a denial of service (infinite loop and system hang) via a (1) SMBv1 or (2) SMBv2 response packet that contains a NetBIOS header with an incorrect length value.

The vulnerability can be exploited via the Web:

In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user. This response would cause the user’s system to stop responding until manually restarted. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker’s site.

In the absence of a patch, Microsoft recommends that affected users block TCP ports 139 and 445 at the firewall.  Windows users should also block all SMB communications to and from the Internet to help prevent attacks.

UPDATE: Gaffié wrote in to clarify that his decision to release this exploit was related to Microsoft’s stance on a different vulnerability, which is also unpatched.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 166 Talkback(s)
I meant when you're trolling, like right now.

 (Read the rest)
Posted by: AzuMao Posted on: 11/22/09 You are currently: a Guest | | Terms of Use
Ummm interesting....  Ceridan | 11/16/09
Typically not blocked  honeymonster | 11/16/09
so 445 and 139...  Ceridan | 11/16/09
No, they are always blocked  honeymonster | 11/16/09
Tought so...[NT]  Ceridan | 11/16/09
you should qualify "will not" in the sentence used  TG2 | 11/17/09
You are correct. Thanks  honeymonster | 11/17/09
Good follow-up  djchandler | 11/17/09
No, that's simply wrong in every way.  TripleII | 11/16/09
If you're going to correct someone  LiquidLearner | 11/16/09
Just Curious  dev-null | 11/18/09
Yep, you are wrong  honeymonster | 11/16/09
You were unclear.  TripleII | 11/16/09
I apologize  honeymonster | 11/17/09
Yay, looks like MS finally did it right this time, with Windows 7.. oh wait  AzuMao | 11/16/09
Re: Yay.................  Disgruntled M$ User | 11/17/09
**** your stupid little Macs.  AzuMao | 11/17/09
It's started already.  bjbrock | 11/16/09
Doubtful.  CobraA1 | 11/16/09
From what I've seen....  bjbrock | 11/16/09
One word: BUILT WITH SECURITY IN MIND  Lerianis10 | 11/16/09
Well what do you think most Windoze users are?  UAC nanny screen | 11/16/09
Sure...  Sleeper Service | 11/17/09
"Sure..."  AdventTech67 | 11/17/09
Yeah but that won't work as its not "root"'s password  deaf_e_kate | 11/17/09
That doesn't bode well for UAC, now does it  UAC nanny screen | 11/17/09
erm not quite  JamesDoyle | 11/17/09
Re: "You can't legislate for human stupidity."  AzuMao | 11/18/09
& yet the Division of Motor Vehicles issues these same folks  AdventTech67 | 11/17/09
Oh I've accepted that fact a long time ago  UAC nanny screen | 11/17/09
That;s a phrase, not a word.  wolftalamasca | 11/17/09
Examples??  CobraA1 | 11/16/09
You're kidding, right?  lehnerus2000 | 11/16/09
I've heard this somewhere before.  AdventTech67 | 11/17/09
umm...  Ceridan | 11/16/09
It's started already.  rob.sharp@... | 11/16/09
You mean the Trolling? You're right.  John Zern | 11/16/09
garbage  enjeruookami | 11/16/09
RE BJ brock  j-mccurdy@... | 11/17/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  mmcgowan1 | 11/16/09
And I thought the Mac commercial was lame  davidr69 | 11/16/09
Just ask Apple  andtherestofus | 11/16/09
Ummmmm...howbout some real info?  No More Microsoft Software Ever! | 11/16/09
Think again? happy  chitwndave | 11/16/09
MS tactics / Apple commercial  davidr69 | 11/16/09
What I find funny  rparker009 | 11/16/09
What I find funny is...  zkiwi | 11/17/09
Windows Trust me Commercial?  Just Great | 11/16/09
No, you were right. (nt)  Lester Young | 11/16/09
Is that what we call hackers now?  RealGem | 11/16/09
Benevolent Hacker  Dr_Zinj | 11/16/09
Hackers, crackers and security researchers....  Ceridan | 11/16/09
Internal components  Ole Man | 11/18/09
Have you ever noticed that some holes are never acknowledged...  vulpine@... | 11/17/09
Um what?  ITSamurai | 11/17/09
Exactly  AzuMao | 11/18/09
Epic fail. Just go kill yourself.  AzuMao | 11/18/09
Nothing less the extortion  Stan57 | 11/16/09
Nothing less than external checks  turkytom@... | 11/16/09
Keep in mind that...  vulpine@... | 11/17/09
BIT confused. You yappin bout OS or HardWare?  No More Microsoft Software Ever! | 11/16/09
How is it extortion...?  vulpine@... | 11/17/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  Malithorne | 11/16/09
Nope  honeymonster | 11/16/09
question  mrdt | 11/16/09
Try this  honeymonster | 11/16/09
Try this  AndyPagin | 11/17/09
Win 7: "OS with the fewest discovered vulnerabilities"  jacarter3 | 11/16/09
No one innovates.  Spiritusindomit@... | 11/16/09
Well, Vista held that title for 3 years.  honeymonster | 11/16/09
you knoq  rparker009 | 11/16/09
That's because...  Spiritusindomit@... | 11/16/09
I would argue that with one statement...  vulpine@... | 11/17/09
Did you actualy read the report?  Mike_ | 11/17/09
re: Any OS who's security relies on the question "Do you want to (...)"  ahumeniy | 11/16/09
I remember both Gnome and KDE on Linux had that exactly behavior.  AndyPagin | 11/17/09
Blindly clicking.....  Lester Young | 11/18/09
Whose in charge at Microsoft?  ironfist03 | 11/16/09
Answer: Microsoft Security Response Team  honeymonster | 11/16/09
Tough love.  CrunchyFerrett | 11/16/09
Ah, but the fact is that  Lerianis10 | 11/16/09
If you think  tealcat | 11/16/09
Nothing is secure if you don't use it wisely.  CrunchyFerrett | 11/16/09
For the sake of Windows the fanbois should stop spreading the lie that win7  The Mentalist | 11/16/09
No more a lie than saying any other OS is secure.  CobraA1 | 11/16/09
Here's a quarter - buy yourself a clue  rag@... | 11/16/09
Not to mention that in almost 16 years  UAC nanny screen | 11/16/09
I think his point was...  vulpine@... | 11/17/09
Hackers?  Ceridan | 11/16/09
Crackers are a subset of Hackers and...  The Mentalist | 11/16/09
Then..  ahumeniy | 11/16/09
Don't be a moron  donc13 | 11/16/09
That's very sound advice, I've been following it all my life now...  The Mentalist | 11/16/09
Wrong again  donc13 | 11/16/09
IMPORTANT MICROSOFT ZDNET  alih_eng@... | 11/16/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  OJB | 11/16/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  elpassandor | 11/16/09
If your computer &/or server are behind any decent router...  IT_Guy_z | 11/16/09
"after failed attempts"...  PollyProteus | 11/16/09
John C. Dvorak said it well...  Roc Riz | 11/16/09
He always does that (-:  Earthling2 | 11/16/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  gertruded | 11/16/09
Here we go again  NStalnecker | 11/16/09
What? You're still here? Two words then...  The Mentalist | 11/16/09
Lol nice pic.  CounterEthicsCommissioner | 11/16/09
RE: Here we go again!  bfilipiak@... | 11/16/09
LOOK EVERYONE!!@(#@!! HE MENTIONS ME!!@#*#!!  Loverock Davidson | 11/17/09
Disabling NetBIOS?  s_southern | 11/16/09
Disable NetBios! Easy peezy lemon squeezy.  andrej770 | 11/16/09
Almost as lame as a potato in a tail pipe.  invmgr@... | 11/16/09
It is very comorting  On Site PC | 11/16/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  ironfist03 | 11/16/09
Question about the default firewall setting.  TripleII | 11/16/09
How to test  Earthling2 | 11/16/09
Thanks Earthling2  lehnerus2000 | 11/17/09
How to block outbound connections  Earthling2 | 11/17/09
Thanks again Earthling2  lehnerus2000 | 11/17/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  WAArnold | 11/16/09
You dont even understand what's all about...  elpassandor | 11/16/09
Allchin said it best....  whisperycat | 11/16/09
Out of Context!  FiOS-Dave | 11/16/09
Denial, version 10 from the MS party faithfull  whisperycat | 11/17/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  rparker009 | 11/16/09
Lethargic Insecure Operating System  Use_More_OIL_NOW | 11/16/09
:CLOUD"!!!???  On Site PC | 11/16/09
Hmm. Question for ya  NStalnecker | 11/16/09
Unusual position for me, supporting MS  JoeSch | 11/16/09
Marginally better than  tracy anne | 11/17/09
This time, it's going to be different  ejhonda | 11/16/09
Now that was different...  zkiwi | 11/16/09
Oh please. Apple = 58 Security Patches  trance2tec | 11/17/09
oh please. Ms=58 gazillions of unpatched holes  ljenux-23043766007667558234416105604265 | 11/17/09
Newsflash! Add this one more problem to the Windows ecosystem.  AdventTech67 | 11/17/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  bhasinusc@... | 11/17/09
Or you can just block relevant outbound ports for public networks  Earthling2 | 11/17/09
RE: Microsoft confirms 'detailed' Windows 7 exploit  bhasinusc@... | 11/17/09
Linux, Linux, Linux..  arcebus@... | 11/17/09
and still is happy  ljenux-23043766007667558234416105604265 | 11/17/09
Win 7 now confirmed as a Microsoft product  bbneo | 11/17/09
This is Hilarious. Listen to all the Microsoft apologists.  AdventTech67 | 11/17/09
Why does Microsoft continue to treat these people as adversaries?  ye | 11/17/09
They did not sweep it under the carpet  honeymonster | 11/17/09
The common expression is "blackmail"  pvandck | 11/17/09
Thanks for the clarification.  ye | 11/18/09
What consumer OS doesn't have an exploit?  youzer | 11/17/09
RE: advent tech  j-mccurdy@... | 11/17/09
Or they're more vocal about the problems because they have higher standards  AzuMao | 11/17/09
LOL  j-mccurdy@... | 11/18/09
Make up your mind..  AzuMao | 11/18/09
RE Make up your mind..  j-mccurdy@... | 11/18/09
Haha, good one.  AzuMao | 11/18/09
Does ZDNet delete posts not in agreement with the blogger?  Gruffydd | 11/18/09
Nope, they delete off topic personal attacks  rtk | 11/18/09
So has yours  UAC nanny screen | 11/21/09
Is that why most of your posts get deleted? *NEW*  AzuMao | 11/22/09
Nice try *NEW*  rtk | 11/22/09
I meant when you're trolling, like right now. *NEW*  AzuMao | 11/22/09
RE Gruffydd *NEW*  j-mccurdy@... | 11/18/09
RE j-mccurdy@...  *NEW*  Gruffydd | 11/18/09
It's not what you did, but what you didn't do. *NEW*  AzuMao | 11/18/09
Do us all a favor and take your own advice for once. Thanks. *NEW*  AzuMao | 11/18/09
Windoze Loozer *NEW*  Jolohaga | 11/18/09
Your goal is to do nothing but windows bashing. *NEW*  lionic | 11/18/09
2 things (at least) to worry about *NEW*  a_gautier | 11/18/09
Very Interesting, Good Post. Good Thinking. (nt) *NEW*  joe.smetona@... | 11/19/09
RE: Microsoft confirms 'detailed' Windows 7 exploit *NEW*  Ez_Customs | 11/19/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More