BSOD = potential code execution

Well who would have guessed. Duh!

I was reading about this earlier today:

http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15

roflmao. Built from the ground up... more FUD, MS are full of shit, check the exe's in Vista/Windows 7's Windows and system32 folders. There are differences, but not enough to claim "built from the ground up" both vista and windows 7 are built on legacy code. OK SMB 2.0 (srv2.sys) maybe unique to Vista and Windows 7 but the same QA has been applied to this module as was applied to Windows XP and Windows 98.

Microsoft take the piss and the IT industry, consumer protection organisations let them.

It takes skill, a relatively high IQ and knowledge to understand, manage, control and secure modern operating systems. Unfortunately I lack in all four areas, but I am smart enough to use windows for nothing more than Cubase and gaming.

If security analysts can discover these vulnerabilities, why, with all their financial resource can't Microsoft? They wrote the shit, It's just pathetic.

Silly

I'm as willing to complain about Microsoft as the next gal, but really, bugs happen. I agree that it's silly to expect Microsoft to back port bug fixes to a a beta version of the software. Now if they don't propose to fix it in Vista, that's another thing entirely.

Perhaps someone can explain something

I understand SMB is mainly for file sharing with the odd bit for printer/ports + some networking. According to the wiki page it runs on netbios although it probably can run over TCP directly. Anyway, irrelevant.

Why is the SMB process running in the kernel where it can do so much damage? It would seem reasonable to dump it into a user-level process where it can only crash itself. If it's basically about networking or files then any overhead of putting it into its own process would vanish in the noise. Any insights?

@two things... #

Totally agree.

@pierror

Since when is disabling two ports the same as turning off tcp?

@DT

you might want to read about the _other_ critical bug as well. see the MS bulletin.

Re: @DT

Totally agree.

;-)

@me: correction

"how can you sell a frigging server OS that needs TCP [...] to be turned off [yadda yadda yadda]"

Should of course read "how can you sell a frigging server OS that needs *FTP* [...] to be turned off [yadda yadda yadda]"

Don't know what went through my mind.

Sorry

Do I get a punishment session with the Moderatrix? Not that I did it on purpose. Of course.

@Nick Ryan : How difficult is it?

It is easy to trivialize the problem of securing software, but it IS difficult. No operating system has ever been immune to security flaws. If no one has ever accomplished this feat, what ground is there for saying that it is not difficult?

@Dan Goodin

Probably should change the summary on the article, It states it affects the RTM version, and not just the RC.

"Redmond has promised to patch a vuln that gives hackers complete control of PCs running the Windows 7 RTM, Vista, and 2008."

@Dan Goodin, Re: is it or isn't it?

The sub heading for this story on your front page reads,

'Redmond has promised to patch a vuln that gives hackers complete control of PCs running the Windows 7 RTM, Vista, and 2008'.

I'm just saying...

And what's Windows 2007?

Say what?

"despite writing Windows Vista and 2008 from scratch"

Do you have any evidence to back this up? They *tried* to do so with Longhorn and failed miserably. I always understood that Vista was really a rushed touch up to XP done at the last minute after they totally gave up on Longhorn.

But it wouldn't be the first time I was wrong

Bug in SMB2 not SMB

Sorry, but the bug is in SMB2 and not in SMB and Yes there is a difference.

See also http://isc.sans.org/diary.html?storyid=7093

@Paul 168 : How difficult is it?

"It is easy to trivialize the problem of securing software, but it IS difficult. No operating system has ever been immune to security flaws. If no one has ever accomplished this feat, what ground is there for saying that it is not difficult?"

It's difficult all right. The thing is that other companies make it look a lot easier than Microsoft do. Despite MS having billions and making massive profits, they never seem to throw enough resources at actually testing anything until it's far, far too late.

If you need proof of this then all you have to do is trawl the back issues of El Reg for articles about MS flaws vs the number of articles from any (or ALL) their competitors and then divide by market share...

Great

"a simple crash of the machine"

So that's OK then.

@WTF

Are you suggesting that SMB is not used inside networks, or that no unauthorised code is ever executed within a corporate firewall?

On enterprise networks the only thing stopping "the bad guys" from taking over your servers is layered security -- that includes preventing the majority of user accounts having any kind of Admin access, meaning that any malware they execute can't "escape" their machine. If there's a hole in your server that allows non-admin accounts to execute arbitrary code on it you're in trouble -- some dope can try and run the latest freeware game doing the rounds and take down all your file and print servers.

@David 141

"3. SMB predates Vista!!! I can't believe anyone would think otherwise."

The article does indeed make the odd claim that SMB is new. I think it meant SMB2, which as far as I know are a set of extensions to the protocol to permit more efficient operation.

As for the "secure development" bit... I'm not at all surprised to find that even suitably tooled up and well-motivated developers would have trouble here. The original SMB protocol is undocumented and I think the Samba people have established that not only does it vary from OS to OS it is a tad ambiguous even within an OS. It probably can't be changed (say, to make it well-specified and formally testable) without breaking backwards compatibility. If so, formal tools aren't applicable and its back to the old-fashioned method of asking really smart programmers to think very hard.

With any sufficiently successful product, maintenance eventually becomes a question of doing the best you can to keep the thing running despite the fact that the environmental ground beneath your feet has eroded away and your product now looks like http://bertc.com/g9/magritte12.htm.

Networking Stack was rewritten for Vista

http://technet.microsoft.com/en-gb/library/bb878108.aspx

Here it states that the networking stack was rewritten for Vista, which probably explains why the same old bugs seem to have re-appeared.

Can someone explain to me...

What is meant by "zero-day" when referring to a vulnerability like this.

Thanks.

@Goat Jam

No, you're right. Vista is basically a revamped NT5 kernel. That's why everything runs as kernel module. In NT5 everything is tightly integrated into the kernel. You can't even run local services on this system without having 'remote' procedure calling enabled, for instance (hence the Slammer worm).

The Longhorn kernel died a death in 2003 and was scrapped. COSD at Redmond were then given less than 18 months to revamp the existing NT5 kernel for Vista, despite having spent the previous two years, internally deriding just about every aspect of how it worked and what it did.

RE: two things

"..you say that attempts to exploit the bug will probably "only" crash the machine. As if it's a good thing. ..."

Compared to someone executing arbitrary code on your computer, yes it is a good thing.

Would be nice if bugs / exploits never happened but that is not possible in today's world of computermabobs, so you take whatever comfort you can get.

@Goat Jam

"I always understood that Vista was really a rushed touch up to XP done at the last minute after they totally gave up on Longhorn."

You are absolutely correct. I'm an OS X user and a longtime programmer in Unix environments. However, Longhorn intrigued me when I first heard about it and what they were working on: a new kernel written from the ground up, a new and improved security/permission paradigm, an OO file system, a new shell that used the best-of-breed features of shell/scripting/interpreted languages, etc etc etc.

However, a couple things happened along the way. Win2K was pretty successful, but when Apple released OS X (and, gasp, seemed to be recovering and attracting people) in late 2001, it took MicroSoft by surprise. (Not that they were alone.) In the meantime, Apple was releasing software like iPhoto, iTunes, iMovie, etc, not to mention the iPod, that were turning heads and attracting buyers on the consumer side. On the corporate side, most Unix vendors were happily falling on their swords, but Linux was becoming a serious player. MicroSoft have always touted how cheap Windows was compared to Unix, but how do you compete with free?

So Apple was impressing people and winning users who were sick of the Windows security problems. And a lot of these people were tech-savvy. I recall that in the company I worked for at the time, the Windows administrators bought iBooks for their personal use. That says a lot.

So there was Microsoft, with Longhorn already looking shaky, and wondering what to do. They released XP, a name which drew laughs because of its similarity to the name of Apple's OS, and which is basically a Win2K service pack with a new skin slapped on it. I recall that most people at the time were saying "Why do I need to pay that much for a new interface? Win2K runs fine on my machine, I don't want to buy a new one, not all my drivers will work with XP, ..." Sound familiar?

So yes, Vista was more or less a last-minute XP, but XP itself was more or less a last-minute 2K.

The more things change, ...

@the guy who said we should look at the proportion of bugs

Yes lets do that. MS have 95% marketshare but I really, really doubt that they have 95% of the bug reports here. Witness the amount of OSX, Linux and Flash vulnerabilities.