Protect your PCs from Windows 7's zero-day exploit
- — 13 November, 2009 10:40
It was a notable accomplishment when Windows 7 was not impacted in any way by the vulnerabilities addressed in the six Security Bulletins released by Microsoft for the November Patch Tuesday. It would be even more impressive if Windows 7 proved invulnerable to the zero-day exploit that hit the next day.
This newly found bug was discovered by Laurent Gaffie and details were posted on the Full Disclosure mailing list. Microsoft is investigating the reported flaw which basically crashes a Windows 7 system when exploited. The issue is in the SMB (Server Message Block) protocol that forms the backbone of Windows file sharing. When triggered, the flaw results in an infinite loop which renders the computer useless.
Tyler Reguly, Lead Security Research Engineer with nCircle, explains "Exploitation of this vulnerability occurs when a user attempts to browse to Windows Share hosted on the malicious server. On Windows 7, the DoS (denial of service) will occur as soon as you type '\\<ip>\' in the search box. "
The vulnerability actually impacts both Windows 7 and Windows Server 2008 R2. There are currently a couple different proof-of-concept exploits circulating, but there are no reported attacks in the wild at this point. Because the flaw only enables an attacker to crash the system, and doesn't provide any unauthorized remote access that could lead to compromising information or performing other malicious activities, the odds of the exploit being actively used by attackers is fairly slim.
With some SMB-based bugs, you can minimize the risk of exposure by blocking SMB traffic at the router or firewall--essentially making sure that no outside source would be able to attack systems on your network. Blocking TCP ports 135 through 139, and port 445 will prevent outside SMB traffic from entering the network.
With the firewall blocked, the threat still exists internally, but ostensibly the systems on the internal network should be more trusted than those on the Internet and hopefully nobody on the internal network would intentionally launch such an attack. You could block those ports on the internal network as well, but then systems would be unable to access file and folder shares on the network.
With this particular bug though, the firewall will not protect you completely from outside attacks. Reguly says "There is an Internet Explorer-based attack vector. By including a file stored on a share in the HTML of the web page the flaw can be triggered. But, once again the result is a denial of service."
Until Microsoft completes its investigation of the issue and releases a patch, you will just have to be vigilant about avoiding suspicious or malicious links on web pages. Because of the limited value of a DoS for the attackers, odds are good you won't see any attacks from this.
Microsoft has described Windows 7 as the most secure operating system it has yet developed but 'most secure' doesn't mean impervious. Windows 7 is still significantly more secure than Windows XP, but news of the Windows 7 vulnerability certainly overshadows the fact that Windows 7 wasn't impacted on Patch Tuesday.