back to article Thought you were done after Tuesday's 115-fix day? Not yet: Microsoft emits SMBv3 worm-cure crisis patch

Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol. On Thursday morning, Redmond emitted the update to Server Message Block 3.1.1 to kill off a critical flaw word of which leaked out inadvertently this week. Designated CVE-2020- …

  1. arctic_haze Silver badge

    SMB

    This service is something that's need switched off / blocked / firewalled as soon as a new Windows computer is first switched on.

    1. phuzz Silver badge

      Re: SMB

      SMB1 is not enabled by default, and until this bug, SMB3 was looking pretty secure.

      Firewalling off port 445 will break any AD integration, which makes it basically useless in a business environment.

      1. Anonymous Coward
        Anonymous Coward

        Re: SMB

        Agreed. However, it is possible the achieve rudimentary "proxying" if you have a section of your network that you really want to keep away from direct Windows contact.

        I look after a testing lab (broadcast based tech) and none of the lab machines are on the domain for isolation reasons...long story...bottom line is, some of the tools they need require admin rights because they suck and/or were built by cretins...my predecessor had problems with viruses before because of the lax permissions, I therefore decided to remove domain access (they don't really need it, email is Office365 now) and direct access to domain resources (i.e. file sharing).

        To do this, I have a Linux box that straddles the lab network and the main company LAN. The Linux box has a dual 10gbe NIC and is connected to a 10gbe switch which also has the file server in (also 10gbe), there is also a quad port gigabit switch which I have configured as a LAG on a second gigabit switch on the Lab network.

        The Linux box has a volume mounted over iSCSI which is on the Windows File Server and is re-shared via Linux using SAMBA.

        Users in the lab still have mounted network drives, but not direct access to the Windows box. Therefore any creepy crawly wormy things can't directly attack the Windows File Server.

        It's not perfect, but it cuts out a lot of attack surface and is easy to monitor / switch off if I need complete isolation in the event of one of the technicians doing something stupid.

        1. Sir Runcible Spoon Silver badge

          Re: SMB

          I hope you have a backup for that Linux box :)

      2. Michael Wojcik Silver badge

        Re: SMB

        until this bug, SMB3 was looking pretty secure

        Well, that's fine, then.

        SMB is an ugly, overcomplicated, poorly-designed, highly stovepiped protocol. (And, yes, I've read the specs. I have the original on paper, in fact.) Rather than adding "features" like compression, Microsoft should be reimplementing the whole thing in a safer language (or with strict standards in place), with good (and enforced) secure-development practices, with static and dynamic analysis, and with unnecessary features disabled by default. Backward compatibility mean many customers can't simply jettison it, so Microsoft needs to fix their mistakes.

  2. Lorribot

    What about earlier versions of Windows Server like 1609? This is still a supported version, mainstream till November 2022.

    1. diodesign (Written by Reg staff) Silver badge
  3. This post has been deleted by its author

  4. cdrcat

    One down, 900 critical bugs to go

    Assuming 25 critical bugs found per month, for the next three years, means there are 900 critical bugs left to find... this one bug doesn’t matter that much since there are *plenty* left for skilled parties to find and abuse.

    https://blog.talosintelligence.com/2020/03/microsoft-patch-tuesday-march-2020.html

    1. Psmo Bronze badge
      Pint

      Re: One down, 900 critical bugs to go

      900 critical bugs to be found,

      900 critical buuuugs!

      Take one down and patch it around,

      921 bugs to be fooooooound!

    2. robidy Bronze badge

      Re: One down, 900 critical bugs to go

      I maybe wrong but that 25 looks like it's based on critical bug patched.

      I'd hazard a guess that bugs found is higher as there is a market for them to be traded and not every buyer will want the purchase...or the bug disclosed.

  5. Hans 1 Silver badge

    I installed the update and, after a restart, the trackpad no longer works on my laptop, it does "gestures" instead of moving the pointer. This is the second time I write this comment as swiping down ⭸ caused it to launch Chrome Help, then Chrome deleted the comment and no longer accepted keyboard input. Doing the same in Firefox, as in, swiping down ⭸ causes a caret browsing warning, claiming I hit F7.

    Hm, I was using the computer quite happily until it asked me to "update and restart", which was mere minutes ago .... how can an SMB patch f*up input devices ?

    1. Hans 1 Silver badge
      Paris Hilton

      I uninstalled the driver, restarted twice, and it works, now ... I was planning to re-install the driver ... hm ...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020