First Windows 7 Exploit

Article

 

Considering what massive hit Windows 7 has been so far, I'm surprised it's taken this long to find one! I'll be upgrading to windows 7 soon and I can't wait.

 

From the article:

Note that these ports are constantly probed, as a search of your firewall logs will show:

​

Note also that these ports were the ones that Conficker exploited. A MSDN blog had this at the end of last year:

MS08-067 and the SDL
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx

You may remember that the Blaster worm exploited Port 135 and the Slammer, Port 445.

It's pretty evident that insuring that people have a firewall/router properly configured would prevent a lot of problems.

One caveat is with those who have file sharing enabled, in which case other precautions need to be taken.

regards,

-rich

 

From DailyTech:

 

In articles that appeared last week, that quote was attributed to Tyler Reguly, Lead Security Research Engineer with nCircle.

See:

Protect Your PCs from Windows 7's Zero-Day Exploit
November 12, 2009
http://www.pcworld.com/businesscent...your_pcs_from_windows_7s_zeroday_exploit.html

Protect Your PCs from Windows 7's Zero-Day Exploit
November 13, 2009
http://www.thestandard.com/news/200...Industry Standard News and Predictions (all))

Laurent Gaffié, in his blog, wrote that IE can be a trigger for the exploit, and his code shows SMB/Port 445 launching the Denial of Service:

Code:

launch = SocketServer.TCPServer(('', 445),
SMB2)# listen all interfaces port 445
launch.serve_forever()

See:

Windows 7 / Server 2008R2 Remote Kernel Crash
http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

The IE trigger may launch the exploit internally via Netbios and the ports, but no working example has been given.

Microsoft adds to the confusion in its Advisory:

Microsoft Security Advisory (977544)
http://www.microsoft.com/technet/security/advisory/977544.mspx

Meanwhile, as long as this is a Denial of Service attack, it may not attract the interest of malware writers, who are probably more interested in exploits that can install a trojan. However, no worms using this exploit have been released, so that remains to be seen.

Finally, an observation by Chet Wisniewski, senior security adviser at Sophos:

First Windows 7 Exploit Appears To Evade SDL Process
By Jennifer LeClaire November 13, 2009 10:23AM
http://www.newsfactor.com/news/First-Windows-7-Exploit-Evades-SDL/story.xhtml?story_id=031002F6WXWX

And so it goes...

----
rich

 

It looks as though you may have caught a misquote on DailyTech.

 

Isn't it common that port 135-139 and 445 is blocked by default in routers and software firewalls? At least, it is for me...

 

Misquotes happen - interviewers speak with a number of people in researching an article and get things mixed up.

Here, the misquote is most unfortunate, since the person identified with the quote is the author of the exploit code and the one who notified Microsoft.

The correlation with IE specifically to this vulnerability has not been thoroughly discussed nor demonstrated.

regards,

----
rich

 

The problem is with those who have file/print sharing enabled, which I referred to in my first post.

This came up during the MS08-067 RPC (remote procedure call) vulnerability, also involving ports 139, 445, which the Conficker worm later used. In a Windows Secrets Newsletter from October of last year, Susan Bradley noted:

Rare out-of-cycle patch emphasizes the risk - MS08-067
http://windowssecrets.com/comp/081024

How this exploit could be triggered internally still has yet to be demonstrated, but the possibility for worm propagation exists, depending on the strength of a system's other security measures.

regards,

-rich