First Windows 7 Exploit

[Dogbiscuit]

Quote:

At this point, there's no grave danger for Windows 7 users. As Gaffié noted in his disclosure, exploiting the vulnerability can crash a host. That translates to rebooting the computer. Wisniewski noted that the zero-day vulnerability is not in worm form as of yet, and only applies to Windows 7 and Windows 2008 R2. That means it's simply a denial of service at this point.

Article

[funkydude]

Considering what massive hit Windows 7 has been so far, I'm surprised it's taken this long to find one! I'll be upgrading to windows 7 soon and I can't wait.

[Rmus]

From the article:

Quote:

Although Microsoft did have issues with the SMB in the past, security researchers have noted that the SMB vulnerability was difficult to exploit with default firewall conditions. There is a workaround: Blocking ports 135, 139 and 445 on the router or firewall to prevent outside SMB traffic from getting into a system.

Note that these ports are constantly probed, as a search of your firewall logs will show:

Note also that these ports were the ones that Conficker exploited. A MSDN blog had this at the end of last year:

MS08-067 and the SDL
http://blogs.msdn.com/sdl/archive/20.../ms08-067.aspx

Quote:

We enabled the firewall by default in Windows XP SP2 and later, this was a direct learning from the Blaster worm. By default, ports 139 and 445 are not opened to the Internet on Windows XP SP2, Windows Vista and Windows Server 2008.

You may remember that the Blaster worm exploited Port 135 and the Slammer, Port 445.

It's pretty evident that insuring that people have a firewall/router properly configured would prevent a lot of problems.

One caveat is with those who have file sharing enabled, in which case other precautions need to be taken.

regards,

-rich

[Dogbiscuit]

From DailyTech:

Quote:

Even if you block the ports, there is still a remote chance that you could be affected, via viewing a webpage in Internet Explorer. States Mr. Gaffie, "There is an Internet Explorer-based attack vector. By including a file stored on a share in the HTML of the web page the flaw can be triggered. But, once again the result is a denial of service."

Using Firefox, Chrome, Opera, or other third-party browser may help negate this route of attack.

[Rmus]

Quote:

Originally Posted by Dogbiscuit

From DailyTech:

Quote:

States Mr. Gaffie, "There is an Internet Explorer-based attack vector...

In articles that appeared last week, that quote was attributed to Tyler Reguly, Lead Security Research Engineer with nCircle.

See:

Protect Your PCs from Windows 7's Zero-Day Exploit
November 12, 2009
http://www.pcworld.com/businesscente...y_exploit.html

Protect Your PCs from Windows 7's Zero-Day Exploit
November 13, 2009
http://www.thestandard.com/news/2009...s+%28all%29%29

Laurent Gaffié, in his blog, wrote that IE can be a trigger for the exploit, and his code shows SMB/Port 445 launching the Denial of Service:

Code:

launch = SocketServer.TCPServer(('', 445),
SMB2)# listen all interfaces port 445
launch.serve_forever()

See:

Windows 7 / Server 2008R2 Remote Kernel Crash
http://g-laurent.blogspot.com/2009/1...te-kernel.html

The IE trigger may launch the exploit internally via Netbios and the ports, but no working example has been given.

Microsoft adds to the confusion in its Advisory:

Microsoft Security Advisory (977544)
http://www.microsoft.com/technet/sec...ry/977544.mspx

Quote:

Can this vulnerability be exploited using Internet Explorer?

No. However, this issue may be exploited through Web transactions, regardless of browser type. In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user.

Meanwhile, as long as this is a Denial of Service attack, it may not attract the interest of malware writers, who are probably more interested in exploits that can install a trojan. However, no worms using this exploit have been released, so that remains to be seen.

Finally, an observation by Chet Wisniewski, senior security adviser at Sophos:

First Windows 7 Exploit Appears To Evade SDL Process
By Jennifer LeClaire November 13, 2009 10:23AM
http://www.newsfactor.com/news/First...d=031002F6WXWX

Quote:

Wisniewski said the author's [Gaffié] aggression toward Microsoft is interesting, but aside from that this is simply another everyday denial-of-service vulnerability in Windows.

And so it goes...

----
rich

[Dogbiscuit]

Quote:

Originally Posted by Rmus

In articles that appeared last week, that quote was attributed to Tyler Reguly, Lead Security Research Engineer with nCircle.

It looks as though you may have caught a misquote on DailyTech.

[softtouch]

Isn't it common that port 135-139 and 445 is blocked by default in routers and software firewalls? At least, it is for me...

[Rmus]

Quote:

Originally Posted by Dogbiscuit

It looks as though you may have caught a misquote on DailyTech.

Misquotes happen - interviewers speak with a number of people in researching an article and get things mixed up.

Here, the misquote is most unfortunate, since the person identified with the quote is the author of the exploit code and the one who notified Microsoft.

The correlation with IE specifically to this vulnerability has not been thoroughly discussed nor demonstrated.

regards,

----
rich

[Rmus]

Quote:

Originally Posted by softtouch

Isn't it common that port 135-139 and 445 is blocked by default in routers and software firewalls? At least, it is for me...

The problem is with those who have file/print sharing enabled, which I referred to in my first post.

This came up during the MS08-067 RPC (remote procedure call) vulnerability, also involving ports 139, 445, which the Conficker worm later used. In a Windows Secrets Newsletter from October of last year, Susan Bradley noted:

Rare out-of-cycle patch emphasizes the risk - MS08-067
http://windowssecrets.com/comp/081024

Quote:

While firewalls are a first line of defense against this attack [TCP ports 139 and 445], don't think you're secure just because you have a firewall. Malware and viruses use many different techniques to wiggle their way into our systems.

For example, my office's networks are protected by firewalls on the outside, but inside the network, PCs have file and printer sharing enabled. If a worm got loose inside the office network (and the patch hadn't been installed), the attack would spread like wildfire.

How this exploit could be triggered internally still has yet to be demonstrated, but the possibility for worm propagation exists, depending on the strength of a system's other security measures.

regards,

-rich