The Register® — Biting the hand that feeds IT

Feeds

Critical bug infests newer versions of Microsoft Windows

Redmond OS hardening has its limits

By Dan Goodin, 9th September 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Microsoft has promised to patch a serious flaw in newer versions of its Windows operating system after hackers released exploit code that allows them to take complete control of the underlying machines.

The flaw, which affects various versions of Windows Vista, 2008, and the release candidate version of Windows 7, resides in the implementation of a network file sharing technology known as SMB, or server message block. The bug, which fails to adequately parse network negotiation requests, was previously believed only to generate a debilitating blue screen of death, but on Tuesday, Microsoft confirmed in some cases it could also be used to remotely execute malicious code on vulnerable machines.

The revelation shows that Microsoft's recent efforts to harden its software against attack only go so far. Despite building Windows Vista and 2008 from scratch and subjecting them to rigorous code reviews, the critical bug managed to escape notice. Even worse, security reviewers in Redmond managed to purge the bug from the final version of Windows 7, but allowed other Windows versions to remain vulnerable.

"This is a common practice at Microsoft of discovering critical software vulnerabilities in the latest releases and never back porting them to older (still supported) versions [and] therefore leaving customers hung out to dry," said Marc Maiffret, who as a 20-something year-old hacker, first spotted the vulnerability that led to the devastating Code Red Worm in 2001. He is now director of professional services at The DigiTrust Group.

"Also it is interesting that the vulnerability affects SMB as that was new to Vista and we can therefore assume had been through most of their strict code auditing standards yet we see again things are going to be missed, even extremely critical ones," he added.

To be fair, most attempts to exploit the bug will result in a simple crash of the machine, according to an advisory Microsoft published on Tuesday. What's more, the invulnerability of Windows 7 and Server 2008 R2 suggests Microsoft's security team is at least partially on top of the bug.

Still, the advisory means that at present there are at least two zero-day vulnerabilities in Microsoft products that are relied on by large business customers. In an updated advisory published Friday, company researchers said they were seeing "limited attacks" targeting a file transfer protocol component in the Internet Information Services webserver. For the most part, the attacks only cause vulnerable machines to crash, but an older version, IIS5, can be exploited to remotely execute malicious code.

Microsoft's Patch Tuesday came and went this week without a fix for either vulnerability. With exploit code released for both, don't be surprised if Microsoft issues an unscheduled update in the next couple of weeks.

In the meantime, admins should prevent attacks targeting SMB by disabling the service. If that's not possible, the two TCP ports used by the service, 139 and 445, should be blocked at the firewall. IIS users should protect themselves by turning off FTP if it's not needed, or at the very least, blocking FTP access to unauthenticated users. ®

This article was updated to correct the name of the vulnerable service. It's SMB, or server message block.

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (45)
Latest Comments
Anonymous Coward

Vista take two?

I've got my RTM of Windows 7 running on my testbed machine and the annoying little bugs are popping up already. Is anyone going to fix the chkdsk bug? So far I've found plenty of sites telling me how it's not a bug, but a feature. Are we to believe that this is another "feature"? Carry on.

0
0
Homard

@Tom Smith 1

Samba has been around for Linux at least since I've been using it (circa 2000). So pretty much most of the development effort of samba has been by Andrew Tridgell and the other developers without m$ help. To whit they reverse engineered it, and a damn fine job they did of it too. I would be happy to bet 20p that m$ used the samba documentation and source code to help them document the server message block protocol (SMB).

@David 141, you might like to consider SMB over netbios quite nice and secure as netbios is not routable as TCP/IP is. Security by obscurity ? But yes SMB over netbios as implemented by m$ was a dogs dinner ! And of course the idiots at m$ implemented the security client-side instead of server side. Which is why it was so easily broken.

@windywoo - what is the airspeed velocity of a swallow ?

@Field Marshal Von Krakenfart - I've never had one crack yet ! Rumble yes, silent yes, smelly yes, and the occasional squeaky one when you are really trying to apply noise abatement techniques ! Other than that, I too suspect CTRL-C CTRL-V skullduggery from redmond.

Regarding the RTM acronym. Surely it should really be WTFM which stands for where's the flaming manual ? retard buys that glossy box the size of a small skyscraper thinking wow I'm getting loads here - and if you're lucky there's an install CD and a 'manual' that is smaller than the EULA in the box ! By breaking the cellophane to open this new toilet roll you have just invalidated your right to a refund. Great stuff ! A practice that remains acceptable to this day, though under any other guise it would be against the law.

I have no sympathy for m$ whatsoever. Yes it's true bugs occur in any system, but m$ make no proper attempt to test things before release. Couple that with the paranoia over loss of revenue through fraud (when half their revenue is by fraud) that leads to an OEM not giving you a restore disk, I have no time for them. They have their place, but if they were to go darwinian (i.e. bust) I would not miss them. Keep their current practice up, and I can but hope.

0
0
Ned Ludd

@ windywoo

>Yes lets do that. MS have 95% marketshare but I really, really doubt that they have 95% of the bug

>reports here. Witness the amount of OSX, Linux and Flash vulnerabilities.

By that logic Windows could have 20 times more vulnerabilities (give or take) than OSX or Linux and be considered equally secure.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
124
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
57
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13