Critical bug infests newer versions of Microsoft Windows
Redmond OS hardening has its limits
Microsoft has promised to patch a serious flaw in newer versions of its Windows operating system after hackers released exploit code that allows them to take complete control of the underlying machines.
The flaw, which affects various versions of Windows Vista, 2008, and the release candidate version of Windows 7, resides in the implementation of a network file sharing technology known as SMB, or server message block. The bug, which fails to adequately parse network negotiation requests, was previously believed only to generate a debilitating blue screen of death, but on Tuesday, Microsoft confirmed in some cases it could also be used to remotely execute malicious code on vulnerable machines.
The revelation shows that Microsoft's recent efforts to harden its software against attack only go so far. Despite building Windows Vista and 2008 from scratch and subjecting them to rigorous code reviews, the critical bug managed to escape notice. Even worse, security reviewers in Redmond managed to purge the bug from the final version of Windows 7, but allowed other Windows versions to remain vulnerable.
"This is a common practice at Microsoft of discovering critical software vulnerabilities in the latest releases and never back porting them to older (still supported) versions [and] therefore leaving customers hung out to dry," said Marc Maiffret, who as a 20-something year-old hacker, first spotted the vulnerability that led to the devastating Code Red Worm in 2001. He is now director of professional services at The DigiTrust Group.
"Also it is interesting that the vulnerability affects SMB as that was new to Vista and we can therefore assume had been through most of their strict code auditing standards yet we see again things are going to be missed, even extremely critical ones," he added.
To be fair, most attempts to exploit the bug will result in a simple crash of the machine, according to an advisory Microsoft published on Tuesday. What's more, the invulnerability of Windows 7 and Server 2008 R2 suggests Microsoft's security team is at least partially on top of the bug.
Still, the advisory means that at present there are at least two zero-day vulnerabilities in Microsoft products that are relied on by large business customers. In an updated advisory published Friday, company researchers said they were seeing "limited attacks" targeting a file transfer protocol component in the Internet Information Services webserver. For the most part, the attacks only cause vulnerable machines to crash, but an older version, IIS5, can be exploited to remotely execute malicious code.
Microsoft's Patch Tuesday came and went this week without a fix for either vulnerability. With exploit code released for both, don't be surprised if Microsoft issues an unscheduled update in the next couple of weeks.
In the meantime, admins should prevent attacks targeting SMB by disabling the service. If that's not possible, the two TCP ports used by the service, 139 and 445, should be blocked at the firewall. IIS users should protect themselves by turning off FTP if it's not needed, or at the very least, blocking FTP access to unauthenticated users. ®
This article was updated to correct the name of the vulnerable service. It's SMB, or server message block.
Vista take two?
I've got my RTM of Windows 7 running on my testbed machine and the annoying little bugs are popping up already. Is anyone going to fix the chkdsk bug? So far I've found plenty of sites telling me how it's not a bug, but a feature. Are we to believe that this is another "feature"? Carry on.
@Tom Smith 1
Samba has been around for Linux at least since I've been using it (circa 2000). So pretty much most of the development effort of samba has been by Andrew Tridgell and the other developers without m$ help. To whit they reverse engineered it, and a damn fine job they did of it too. I would be happy to bet 20p that m$ used the samba documentation and source code to help them document the server message block protocol (SMB).
@David 141, you might like to consider SMB over netbios quite nice and secure as netbios is not routable as TCP/IP is. Security by obscurity ? But yes SMB over netbios as implemented by m$ was a dogs dinner ! And of course the idiots at m$ implemented the security client-side instead of server side. Which is why it was so easily broken.
@windywoo - what is the airspeed velocity of a swallow ?
@Field Marshal Von Krakenfart - I've never had one crack yet ! Rumble yes, silent yes, smelly yes, and the occasional squeaky one when you are really trying to apply noise abatement techniques ! Other than that, I too suspect CTRL-C CTRL-V skullduggery from redmond.
Regarding the RTM acronym. Surely it should really be WTFM which stands for where's the flaming manual ? retard buys that glossy box the size of a small skyscraper thinking wow I'm getting loads here - and if you're lucky there's an install CD and a 'manual' that is smaller than the EULA in the box ! By breaking the cellophane to open this new toilet roll you have just invalidated your right to a refund. Great stuff ! A practice that remains acceptable to this day, though under any other guise it would be against the law.
I have no sympathy for m$ whatsoever. Yes it's true bugs occur in any system, but m$ make no proper attempt to test things before release. Couple that with the paranoia over loss of revenue through fraud (when half their revenue is by fraud) that leads to an OEM not giving you a restore disk, I have no time for them. They have their place, but if they were to go darwinian (i.e. bust) I would not miss them. Keep their current practice up, and I can but hope.
>Yes lets do that. MS have 95% marketshare but I really, really doubt that they have 95% of the bug
>reports here. Witness the amount of OSX, Linux and Flash vulnerabilities.
By that logic Windows could have 20 times more vulnerabilities (give or take) than OSX or Linux and be considered equally secure.