backtop


Print 31 comment(s) - last by Lerianis.. on Sep 28 at 12:54 PM


A serious security flaw has been found in Windows 7. While fixed in the RTM build, testers are at risk, if they don't run a free tool to disable the vulnerable component.  (Source: Sydney Morning Herald)
Serious security flaw reminds users of both the dangers and benefits of testing trial software

In software your security track record is ideally judged by the products you release, not the products you are developing.  Nonetheless, Microsoft is drawing flack over an unpatched vulnerability in the beta and Release Candidate versions of Windows 7; Windows Vista; and Windows Server 2008.  With attacks incoming, Microsoft and security experts are urging testers to run a workaround to disable the exploitable component in the meantime.  The entire mess, though, goes to demonstrate both the dangers and benefits of thorough software testing.

Windows 7 is arguably the most thoroughly publicly tested piece of unreleased software in the history of software engineering.  An unprecedented testing program offered up both a beta and a release candidate build to the public, with millions taking the new OS out for a test drive worldwide.  Many problems were thus identified and fixed.

Overall, Windows 7 is more secure, thanks to numerous protections.  However, a block of code called the SMB (Server Message Block) 2 -- which implements a network file- and print-sharing protocol found in the test builds – was recently found to have an exploitable vulnerability.  Early testing demonstrated the vulnerability could be used to blue screen Windows boxes.

Now, more thorough research has demonstrated that the flaw can be exploited for complete system takeovers.  Miami Beach-based Immunity, makers of the CANVAS penetration testing framework, built a proof-of-concept exploit that uses the SMB 2 flaw to execute remote code.  The exploit was released last Wednesday to paid subscribers. 

This week Mark Wodrich and Jonathan Ness, both members of the Microsoft Security Response Center (MSRC) engineering team, posted a blog discussing the exploit.  The good news, they say, is that its fixed in the RTM build and will not be present in the retail release of Windows 7.  The bad news, they say, is that in the Release Candidate and beta builds, the flaw is every bit as severe as the security firms indicated.  Writes the pair, "We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems.  The exploit gains complete control of the targeted system and can be launched by an unauthenticated user."

Meanwhile, security researcher HD Moore says that the exploit will soon be added to Metasploit, an open source security toolkit he helps write.  The kit is free and widely used by hackers to craft attacks.  In other words, expect the SMB 2 attacks to be coming in weeks, not months.

Microsoft is hard at working crafting a patch to deploy to its testers.  Microsoft's next patch day is still a ways away, though -- October 13.  In the meantime it's offering users a "Fix-it" tool as a a stop gap solution.  The automated tool, available here, will disable the SMB 2 code and prevent its exploitation.  Microsoft and security firms are strongly urging users (that includes beta testers and enthusiasts running Release Candidate versions of Windows 7) to run the tool as soon as possible, though Microsoft believes there are no working attacks currently in the wild.

While some have taken the SMB 2 bug as an opportunity to fling mud at Windows 7's security, it's best to reserve judgment for the final product.  If Windows 7 releases with few flaws, Microsoft (and its testers) should be thanked for its unprecedented testing program that has caught potential "show stopping" vulnerabilities like this one.  With robust protections, upcoming free anti-malware protections, and a rapidly diminishing list of exploitable routes, Windows 7 is shaping up quite nicely.

While testing is a great experience, this security crisis also goes to show that those testing should be aware of the dangers they put themselves in, in terms of security.  While fewer attacks will be geared specifically toward unreleased software, it is likely that test software will have more exploitable flaws.  With great new software comes great responsibility to stay vigilant and informed, and get the latest protections and workarounds, while the vendor polishes the final product (granted, this axiom applies to release software, as well, to a lesser extent).

Update 1 11:21 p.m., Mon. Sept 21, 2009:  Some users are reporting trouble running the tool to disable the SMB.  As Microsoft's security advisory lists the Windows 7 RC (see the Faq, it's not in the lists OS's) as affected, and says to follow the advised steps, its unclear what to do here.  Brandon Hill tried to run the tool in the 64-bit version of the release candidate, like the commenter did, and confirmed that it fails.  Its unclear if the tool works for 32-bit release candidates, the betas, or none of the Windows 7 releases at all.  We'll update further as we get more details.

Update 2 8:15 a.m., Tues., Sept 22 2009:  Windows 7 RC and beta users can and should run the tool, however, you won't be able to just execute it and run it like that. Follow these steps:
1.  Download the tool here (this is the same tool I previously linked to).

2.  Right click the tool. Select properties> Select the Compatibility tab> Select "Run this program in compatibility mode for: Previous version of Windows"> Click Apply> Click Ok
3.  As an admin, run the tool by double clicking it.  Click yes on the security and UAC warnings.
4.  Check your registry to verify the update worked, as outlined here.

An alternative is to modify your registry manually.  Thanks evilharp, for figuring out that the tool would run in compatibility mode and detailing the steps required!


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Obviously Metasploit = big egos & nob'eds!
By blowfish on 9/21/2009 10:47:40 PM , Rating: 4
Meanwhile, security researcher HD Moore says that the exploit will soon be added to Metasploit, an open source security toolkit he helps write. The kit is free and widely used by hackers to craft attacks. In other words, expect the SMB 2 attacks to be coming in weeks, not months.

So why do they have to add the exploit to Metasploit? It seems to me like they're at least exacerbating, if not actually creating the problem.

I guess the reputation of "Metasploit" just can't be compromised by humdrum practical considerations, like the greater good...

And who the *&ck is HD Moore? Seems like he must have been bullied at school.

Tossers!




RE: Obviously Metasploit = big egos & nob'eds!
By Murst on 9/22/2009 1:29:16 AM , Rating: 5
quote:
So why do they have to add the exploit to Metasploit?

Because when programmers simply told companies about their bugs before, the companies did nothing.

This forces the companies to patch their bugs before the code gets released to the public. Also, the flaw is probably not obvious, so allowing other people to view the code may prevent other programmers from committing the same mistake.


RE: Obviously Metasploit = big egos & nob'eds!
By emboss on 9/22/2009 2:07:24 AM , Rating: 2
quote:
Also, the flaw is probably not obvious


Actually, the mistake is a bit of a clanger. It takes a number from the packet and uses that to access an array of pointers to functions (to pick which function to call). Except they never check to see if the number in the packet is within the bounds of the array.

Just a basic case of assuming data coming in over the network is "good" and forgetting that there may be an attacker on the other end of the connection.


RE: Obviously Metasploit = big egos & nob'eds!
By adiposity on 9/22/09, Rating: 0
By lecanard on 9/22/2009 6:21:40 PM , Rating: 2
Sounds like a cool class. Was is undergraduate or graduate level? My undergrad networking class wasn't that fun...


Danger?
By Ristogod on 9/22/2009 9:16:52 AM , Rating: 2
The Danger's of thorough software testing? There's danger involved in doing thorough software testing? What danger? The writer makes it seem as if in some cases thorough software testing should be avoided as it is too dangerous. This makes no sense at all.




RE: Danger?
By Aeonic on 9/22/2009 10:07:33 AM , Rating: 3
I think the point was that the danger came from the fact that so many people are using it (and that it's technically "test" software), that it's become interesting to hackers. I don't think the author was implying that it wasn't worth it.


RE: Danger?
By Lerianis on 9/28/2009 12:54:58 PM , Rating: 2
I thought that this was ALSO a problem on Windows Vista, but that there is a fix for Vista.... why not send out a fix for the RC over the pipes, or was the fix very complex in Windows 7 RTM?


By evilharp on 9/22/2009 12:04:36 AM , Rating: 5
I thought I'd chime in on this one. I've successfully run the fix and disabled SMB2 on Windows 7 RC x64.

To run the fix, first download it from: http://support.microsoft.com/kb/975497
Save the Disable and Enable files somewhere locally on your Windows 7 PC.

To Run the fix files, Right click on the file (Enable MicrosoftFixit50307 or Disable MicrosoftFixit50304)> Select properties> Select the Compatibility tab> Select "Run this program in compatibility mode for: Previous version of Windows"> Click Apply> Click Ok

Now run the file (as admin), you will get a Security Warning and a UAC alert (assuming you haven't gone and disabled these security features). Click Yes for both.

To confirm that it ran, check your Registry as highlighted here under Workarounds: http://www.microsoft.com/technet/security/advisory...

Hell, you can even use Regedit instead of the tool to fix it yourself. Just a quick DWORD change under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s. See the Workarounds I linked above.




doesnt work
By walk2k on 9/22/2009 4:44:57 AM , Rating: 2
patch linked in article doesnt work




RE: doesnt work
By walk2k on 9/22/2009 4:47:36 AM , Rating: 2
its only for Vista and Server 2008 that's why


Jason.....
By damianrobertjones on 9/22/2009 4:15:49 AM , Rating: 1
RE: Jason.....
By damianrobertjones on 9/22/2009 4:18:16 AM , Rating: 2
Actually.... Thats an old article. Cor.


You know what's sad?
By dflynchimp on 9/21/2009 10:27:27 PM , Rating: 2
A good amount of these OS exploits can't even be used to obtain useful or profitable data from the victim's system, and blue-screening or other malicious infections are pretty much the bulk of what the antagonists are looking for. Says alot about their use of time, f***ing griefers.

Now password and secure information retrieval, that's what I'm worried about.




By hitman699 on 9/21/2009 11:50:50 PM , Rating: 2
Maybe Im doing something wrong here... but the software says not applicable to my win 7 RC that is running 32 bit...

"does not apply to your operating system or application"




By amandahugnkiss on 9/22/2009 12:07:07 AM , Rating: 2
a quick search on how to manually disable SMB2 yielded this, it is for Vista but should easily be able to be tested for Win7:
www.maestrosoft.com/files/support/How_to_fix_Wind ows_Vista_Networking_?Issue.pdf

look to the very end of the article. This is in place for a different issue but stopping the SMB2 service is what you're after




Huh?
By wetlegs6 on 9/22/2009 2:29:03 PM , Rating: 2
quote:
An unprecedented testing program offered up both a beta and a release candidate build to the public, with millions taking the new OS out for a test drive worldwide.


Uhmm... Unprecedented like the public release of Vista beta 2 and the RCs?




Retarded.
By Visual on 9/23/2009 9:01:48 AM , Rating: 2
I have auto-update on. If it is important, MS should make it so it patches itself automatically.

And I mean it - it should be an actual patch that fixes the problem so that SMB works just fine. Not just disabling it leaving me with no shared folders access.

Making me run some weird-ass program, in compatibility mode no less, and which is just a stupid workaround and doesn't solve the actual bug... this just makes no sense at all.




By BobT on 9/23/2009 3:20:05 PM , Rating: 2
Headlines like this make me ashamed of our educational system. Didn't you ever hear the story about the boy who cried "Wolf" too many times?

If you can read, and actually read the whole Microsoft Security Bulletin on this issue you will discover that only a very few testers are actually at risk. The vast majority of testers are intelligent, smart individuals that would never connect their PCs directly to the internet. Neither would these people ever create holes in their network firewalls that would let SMB packets from the internet into their local network.

The key to reading any Security Bulletins, whether from Microsoft or some other source is to read the Mitigating Factors section.




Really for Windows 7?
By Aquila76 on 9/21/09, Rating: -1
RE: Really for Windows 7?
By Brandon Hill (blog) on 9/21/2009 10:54:20 PM , Rating: 2
quote:
It's Critical That Windows 7 Testers Run Tool

quote:
Microsoft is drawing flack over an unpatched vulnerability in the beta and Release Candidate versions of Windows 7; Windows Vista; and Windows Server 2008.

quote:
The good news, they say, is that its fixed in the RTM build and will not be present in the retail release of Windows 7.

quote:
The bad news, they say, is that in the Release Candidate and beta builds, the flaw is every bit as severe as the security firms indicated.

quote:
Microsoft and security firms are strongly urging users (that includes beta testers and enthusiasts running Release Candidate versions of Windows 7) to run the tool as soon as possible, though Microsoft believes there are no working attacks currently in the wild.


Or you could just read the article... ;)


RE: Really for Windows 7?
By Aquila76 on 9/21/2009 11:00:45 PM , Rating: 1
Sorry, the bourbon is kind of delaying my comprehension process. Mmm, tasty Maker's Mark. I think I better try patching this tomorrow, when I'm not in a Kentucky mind-frame.


RE: Really for Windows 7?
By Scrogneugneu on 9/21/2009 10:58:08 PM , Rating: 4
Windows 7 final will be unaffected. However, BETA and RC versions still have the bug unpatched. This is what the article is about.

"A BETA/RC version of an OS has a critical-level vulnerability that could potentially allow an attacker to take control of the system".

One would figure this should be expected. Over here, it's news.


RE: Really for Windows 7?
By jonmcc33 on 9/22/2009 11:45:05 AM , Rating: 2
Nobody cares about beta and RC releases. They are for testing anyway. You should not run them in a production/real world environment to begin with.

It is already stated that this does not apply to Windows 7 RTM. So no normal person will stumble upon this...unlike those Apple fanatics that got Snow Leopard that came with a known vulnerability in it's retail release.


RE: Really for Windows 7?
By Aquila76 on 9/21/2009 10:57:00 PM , Rating: 1
Uh, let me retry that post.

If this is affecting Windows 7, why does the bulletin website list Windows 7 (both 32-bit and 64-bit) as unaffected?

http://www.microsoft.com/technet/security/advisory...


RE: Really for Windows 7?
By JasonMick (blog) on 9/21/2009 11:11:06 PM , Rating: 1
http://www.microsoft.com/technet/security/advisory...

quote:
Is the Windows 7 Release Candidate affected by this vulnerability?
Yes. This vulnerability was reported after the release of Windows 7 Release Candidate. Customers running this platform are encouraged to review this advisory and follow the steps listed here.


...That's from MS, so it does indeed affect Windows 7. As the steps listed in Microsoft's blog are to run that tool I'm not quite sure what the solution is.

I believe you, though. Brandon Hill ran Win 7 64-bit RC in his VM and got the same result as you. We're not sure yet whether the tool works for no Windows 7 OS's or just not the 64-bit RC's...

Thanks for the info, I may update the article accordingly.


RE: Really for Windows 7?
By JasonMick (blog) on 9/22/2009 8:32:20 AM , Rating: 2
Thanks anquila, I added a workaround to run the tool that you should be able to use. A thanks evilharp for being the first to outline this work around. I ran it on one of my machines, and it worked.

Turns out the key is to run it in compatibility mode.

Please let me know if that doesn't work for you.


RE: Really for Windows 7?
By omnicronx on 9/22/2009 11:59:19 AM , Rating: 2
While it may affect Windows 7 RC, it does not seem to affect the RTM build. I've played around with an android app that takes advantage of this exploit and it works nicely on my Vista machine, and my laptop running 7 RC but does not work on Windows 7 RTM on any machine I've tried. I can also confirm it does not work with all pre RTM builds and x86/x64 variants either, seems to be a crapshoot. That being said, I have not heard of one case of it working on an RTM version of 7, x86 or x64..


RE: Really for Windows 7?
By suchness18 on 9/21/2009 10:59:58 PM , Rating: 3
Patch doesn't install on Windows 7 x64 RC, OS is not 'applicable'. The Article is incorrect in this regard.


RE: Really for Windows 7?
By Spivonious on 9/22/2009 9:15:46 AM , Rating: 2
The article makes it seem like only 32-bit versions are affected, at least with Vista and Server 2003 (did they mean 2008?).


RE: Really for Windows 7?
By MrDiSante on 9/21/2009 10:58:04 PM , Rating: 2
quote:
The good news, they say, is that its fixed in the RTM build and will not be present in the retail release of Windows 7.


For those of you with reading comprehension issues: this means that the final version of Windows 7 is unaffected, only the "test" (read: RC/Beta) versions are. Hence why "Testers" should run the tool. This is one of those times where Jason wrote everything as he should have and you should have RTFA before posting.


"And boy have we patented it!" -- Steve Jobs, Macworld 2007














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki