Microsoft has promised to patch a serious flaw in newer versions of its Windows operating system after hackers released exploit code that allows them to take complete control of the underlying machines. The flaw, which affects various versions of Windows Vista, 2008, and the release candidate version of Windows 7, resides in the …
SMB bug doesn't affect sensible people, does it, especially since the firewall is enabled by default. I was actually hoping to read about the TCP vulnerability, but hey.
Is it or isn't it?
"The flaw, which affects various versions of Windows Vista, 2008, and the release candidate version of Windows 7..."
"Even worse, security reviewers in Redmond managed to purge the bug from the final version of Windows 7, but allowed earlier beta versions to remain vulnerable."
Which is it? Has the bug been fixed in the RC of Windows 7 or hasn't it? Also, why would anyone expect MS to patch a bug in *beta* version FFS?
@s it or isn't it?
Anonymous coward, the bug is present in Windows 2007 RC. It's not present in Windows 2007 RTM.
BSOD = potential code execution
Well who would have guessed. Duh!
I was reading about this earlier today:
roflmao. Built from the ground up... more FUD, MS are full of shit, check the exe's in Vista/Windows 7's Windows and system32 folders. There are differences, but not enough to claim "built from the ground up" both vista and windows 7 are built on legacy code. OK SMB 2.0 (srv2.sys) maybe unique to Vista and Windows 7 but the same QA has been applied to this module as was applied to Windows XP and Windows 98.
Microsoft take the piss and the IT industry, consumer protection organisations let them.
It takes skill, a relatively high IQ and knowledge to understand, manage, control and secure modern operating systems. Unfortunately I lack in all four areas, but I am smart enough to use windows for nothing more than Cubase and gaming.
If security analysts can discover these vulnerabilities, why, with all their financial resource can't Microsoft? They wrote the shit, It's just pathetic.
I'm as willing to complain about Microsoft as the next gal, but really, bugs happen. I agree that it's silly to expect Microsoft to back port bug fixes to a a beta version of the software. Now if they don't propose to fix it in Vista, that's another thing entirely.
I had great fun today, crashing my boss's Vista box :)
So glad I "downgraded" back to XP.
How difficult is it?
How difficult is it? Really? Trust NOTHING that comes from an external source. Any module of code that accepts external data should validate it properly and throw it out if it doesn't comply with the agreed interface contracts. Not hard... unless you spend most of your development time obfuscating an interface to make it hard for anybody else to implement.
On the other hand... trust little even if it comes from an internal source. Paranoia is good. Just not overly good for efficiency.
First, you say that attempts to exploit the bug will probably "only" crash the machine. As if it's a good thing. I guess DDOS attacks are OK then. After all, they will "only" at worst crash your kit.
Second (and this one is not your fault), how can you sell a frigging server OS that needs TCP -and its own proprietary network share protocole- to be off in order not to crash -or be exploited- at a whim? Surely that makes it entirely unfit for purpose? Hey look here is a server OS, it's perfectly stable and secure as long as it doesn't come close to a network! WTF?
Perhaps someone can explain something
I understand SMB is mainly for file sharing with the odd bit for printer/ports + some networking. According to the wiki page it runs on netbios although it probably can run over TCP directly. Anyway, irrelevant.
Why is the SMB process running in the kernel where it can do so much damage? It would seem reasonable to dump it into a user-level process where it can only crash itself. If it's basically about networking or files then any overhead of putting it into its own process would vanish in the noise. Any insights?
@two things... #
Since when is disabling two ports the same as turning off tcp?
>In the meantime, admins should prevent attacks targeting SMB2 by disabling
> the service. If that's not possible, the two TCP ports used by the service,
>139 and 445, should be blocked at the firewall.
When should any of the SMB-related ports ever be accessible to anything but the specific machines/networks (presumably local) that need them?
you might want to read about the _other_ critical bug as well. see the MS bulletin.
> Why is the SMB process running in the kernel where it can do so much damage?
I believe that NFS works as a kernel module in most *nix operating systems. Not that that's a good thing, either.
"how can you sell a frigging server OS that needs TCP [...] to be turned off [yadda yadda yadda]"
Should of course read "how can you sell a frigging server OS that needs *FTP* [...] to be turned off [yadda yadda yadda]"
Don't know what went through my mind.
Do I get a punishment session with the Moderatrix? Not that I did it on purpose. Of course.
1. You can't disable SMB without turing off all file and print sharing. May as well just unplug the network.
2. Almost all home and business users will have SMB ports blocked at the firewall, so it's really not much of an issue.
3. SMB predates Vista!!! I can't believe anyone would think otherwise.
4. Almost all SMB these days will be running over TCP. Netbios is so last century.
@Nick Ryan : How difficult is it?
It is easy to trivialize the problem of securing software, but it IS difficult. No operating system has ever been immune to security flaws. If no one has ever accomplished this feat, what ground is there for saying that it is not difficult?
Probably should change the summary on the article, It states it affects the RTM version, and not just the RC.
"Redmond has promised to patch a vuln that gives hackers complete control of PCs running the Windows 7 RTM, Vista, and 2008."
@Dan Goodin, Re: is it or isn't it?
The sub heading for this story on your front page reads,
'Redmond has promised to patch a vuln that gives hackers complete control of PCs running the Windows 7 RTM, Vista, and 2008'.
I'm just saying...
And what's Windows 2007?
"despite writing Windows Vista and 2008 from scratch"
Do you have any evidence to back this up? They *tried* to do so with Longhorn and failed miserably. I always understood that Vista was really a rushed touch up to XP done at the last minute after they totally gave up on Longhorn.
But it wouldn't be the first time I was wrong
Bug in SMB2 not SMB
Sorry, but the bug is in SMB2 and not in SMB and Yes there is a difference.
See also http://isc.sans.org/diary.html?storyid=7093
Vista by any other name...
...is still a dungheap
Good luck with your new OS wintards.
"SMB bug doesn't affect sensible people"
Nope, I'm running Samba on Linux :-)
Even more sensible people would be running it on BSD.
@Paul 168 : How difficult is it?
"It is easy to trivialize the problem of securing software, but it IS difficult. No operating system has ever been immune to security flaws. If no one has ever accomplished this feat, what ground is there for saying that it is not difficult?"
It's difficult all right. The thing is that other companies make it look a lot easier than Microsoft do. Despite MS having billions and making massive profits, they never seem to throw enough resources at actually testing anything until it's far, far too late.
If you need proof of this then all you have to do is trawl the back issues of El Reg for articles about MS flaws vs the number of articles from any (or ALL) their competitors and then divide by market share...
"a simple crash of the machine"
So that's OK then.
Re: is it or isn't it?
AC wrote: "And what's Windows 2007?"
If the other versions of Windows are anything to go by then it's an OS inspired by the bowel movements of a monkey that's been eating too many figs.
"To be fair, most attempts to exploit the bug will result in a simple crash of the machine, "
Oh, that's all right then?
Are you suggesting that SMB is not used inside networks, or that no unauthorised code is ever executed within a corporate firewall?
On enterprise networks the only thing stopping "the bad guys" from taking over your servers is layered security -- that includes preventing the majority of user accounts having any kind of Admin access, meaning that any malware they execute can't "escape" their machine. If there's a hole in your server that allows non-admin accounts to execute arbitrary code on it you're in trouble -- some dope can try and run the latest freeware game doing the rounds and take down all your file and print servers.
"3. SMB predates Vista!!! I can't believe anyone would think otherwise."
The article does indeed make the odd claim that SMB is new. I think it meant SMB2, which as far as I know are a set of extensions to the protocol to permit more efficient operation.
As for the "secure development" bit... I'm not at all surprised to find that even suitably tooled up and well-motivated developers would have trouble here. The original SMB protocol is undocumented and I think the Samba people have established that not only does it vary from OS to OS it is a tad ambiguous even within an OS. It probably can't be changed (say, to make it well-specified and formally testable) without breaking backwards compatibility. If so, formal tools aren't applicable and its back to the old-fashioned method of asking really smart programmers to think very hard.
With any sufficiently successful product, maintenance eventually becomes a question of doing the best you can to keep the thing running despite the fact that the environmental ground beneath your feet has eroded away and your product now looks like http://bertc.com/g9/magritte12.htm.
go shoot yourself in the other foot. You can use my weapon if you like.
Networking Stack was rewritten for Vista
Here it states that the networking stack was rewritten for Vista, which probably explains why the same old bugs seem to have re-appeared.
Can someone explain to me...
What is meant by "zero-day" when referring to a vulnerability like this.
No, you're right. Vista is basically a revamped NT5 kernel. That's why everything runs as kernel module. In NT5 everything is tightly integrated into the kernel. You can't even run local services on this system without having 'remote' procedure calling enabled, for instance (hence the Slammer worm).
The Longhorn kernel died a death in 2003 and was scrapped. COSD at Redmond were then given less than 18 months to revamp the existing NT5 kernel for Vista, despite having spent the previous two years, internally deriding just about every aspect of how it worked and what it did.
RE: two things
"..you say that attempts to exploit the bug will probably "only" crash the machine. As if it's a good thing. ..."
Compared to someone executing arbitrary code on your computer, yes it is a good thing.
Would be nice if bugs / exploits never happened but that is not possible in today's world of computermabobs, so you take whatever comfort you can get.
writing Windows Vista and 2008 from scratch, yeah if you consider ctrl-c and ctrl-v "writing"
The headline on the front page says Windows 7 RTM but the article says that it's Win7 RC and that RTM isn't vulnerable. Might want to correct that!
@Field Marshal Von Krakenfart
"writing Windows Vista and 2008 from scratch, yeah if you consider ctrl-c and ctrl-v 'writing'"
Give MS some credit, there's a few more steps to it than that:
find "XP/Vista" replace with "Vista/Windows 7"
"I always understood that Vista was really a rushed touch up to XP done at the last minute after they totally gave up on Longhorn."
You are absolutely correct. I'm an OS X user and a longtime programmer in Unix environments. However, Longhorn intrigued me when I first heard about it and what they were working on: a new kernel written from the ground up, a new and improved security/permission paradigm, an OO file system, a new shell that used the best-of-breed features of shell/scripting/interpreted languages, etc etc etc.
However, a couple things happened along the way. Win2K was pretty successful, but when Apple released OS X (and, gasp, seemed to be recovering and attracting people) in late 2001, it took MicroSoft by surprise. (Not that they were alone.) In the meantime, Apple was releasing software like iPhoto, iTunes, iMovie, etc, not to mention the iPod, that were turning heads and attracting buyers on the consumer side. On the corporate side, most Unix vendors were happily falling on their swords, but Linux was becoming a serious player. MicroSoft have always touted how cheap Windows was compared to Unix, but how do you compete with free?
So Apple was impressing people and winning users who were sick of the Windows security problems. And a lot of these people were tech-savvy. I recall that in the company I worked for at the time, the Windows administrators bought iBooks for their personal use. That says a lot.
So there was Microsoft, with Longhorn already looking shaky, and wondering what to do. They released XP, a name which drew laughs because of its similarity to the name of Apple's OS, and which is basically a Win2K service pack with a new skin slapped on it. I recall that most people at the time were saying "Why do I need to pay that much for a new interface? Win2K runs fine on my machine, I don't want to buy a new one, not all my drivers will work with XP, ..." Sound familiar?
So yes, Vista was more or less a last-minute XP, but XP itself was more or less a last-minute 2K.
The more things change, ...
@ Ken Hagan
SMB is documented, and M$ gave the Samba project all the documentation they needed way back in December 2007. I've no idea if that extends to SMB2.0 mind.
Given how important file (and printer) sharing is to most windows running shops, turning SMB off isn't really an option. Good thing we've not upgraded to Vista yet :)
@AC 13:02 GMT
You owe me a new keyboard.....
A true professional with an eye for detail.
@the guy who said we should look at the proportion of bugs
Yes lets do that. MS have 95% marketshare but I really, really doubt that they have 95% of the bug reports here. Witness the amount of OSX, Linux and Flash vulnerabilities.
>Yes lets do that. MS have 95% marketshare but I really, really doubt that they have 95% of the bug
>reports here. Witness the amount of OSX, Linux and Flash vulnerabilities.
By that logic Windows could have 20 times more vulnerabilities (give or take) than OSX or Linux and be considered equally secure.
@Tom Smith 1
Samba has been around for Linux at least since I've been using it (circa 2000). So pretty much most of the development effort of samba has been by Andrew Tridgell and the other developers without m$ help. To whit they reverse engineered it, and a damn fine job they did of it too. I would be happy to bet 20p that m$ used the samba documentation and source code to help them document the server message block protocol (SMB).
@David 141, you might like to consider SMB over netbios quite nice and secure as netbios is not routable as TCP/IP is. Security by obscurity ? But yes SMB over netbios as implemented by m$ was a dogs dinner ! And of course the idiots at m$ implemented the security client-side instead of server side. Which is why it was so easily broken.
@windywoo - what is the airspeed velocity of a swallow ?
@Field Marshal Von Krakenfart - I've never had one crack yet ! Rumble yes, silent yes, smelly yes, and the occasional squeaky one when you are really trying to apply noise abatement techniques ! Other than that, I too suspect CTRL-C CTRL-V skullduggery from redmond.
Regarding the RTM acronym. Surely it should really be WTFM which stands for where's the flaming manual ? retard buys that glossy box the size of a small skyscraper thinking wow I'm getting loads here - and if you're lucky there's an install CD and a 'manual' that is smaller than the EULA in the box ! By breaking the cellophane to open this new toilet roll you have just invalidated your right to a refund. Great stuff ! A practice that remains acceptable to this day, though under any other guise it would be against the law.
I have no sympathy for m$ whatsoever. Yes it's true bugs occur in any system, but m$ make no proper attempt to test things before release. Couple that with the paranoia over loss of revenue through fraud (when half their revenue is by fraud) that leads to an OEM not giving you a restore disk, I have no time for them. They have their place, but if they were to go darwinian (i.e. bust) I would not miss them. Keep their current practice up, and I can but hope.
Vista take two?
I've got my RTM of Windows 7 running on my testbed machine and the annoying little bugs are popping up already. Is anyone going to fix the chkdsk bug? So far I've found plenty of sites telling me how it's not a bug, but a feature. Are we to believe that this is another "feature"? Carry on.