Security

Microsoft on Friday said it is working on a fix for a vulnerability in the Server Message Block file-sharing protocol in Windows 7 and Windows Server 2008 Release 2 that could be used to remotely crash a computer.

The software giant had said on Wednesday that it was looking at the bug, discovered by researcher Laurent Gaffié, who published proof-of-concept code on a blog.

"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this [denial-of-service] vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted," Dave Forstrom, group manager for public relations at Microsoft Trustworthy Computing, said in a statement. "It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue."

Microsoft is not aware of attacks to exploit the hole at this time, he said.

In an advisory, Microsoft criticized the way Gaffié handled the discovery.

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," the advisory said. "We continue to encourage responsible disclosure of vulnerabilities."

The advisory suggests that customers block Transmission Control Protocol, or TCP, ports 139 and 445 at the firewall, as a workaround until a patch is ready.

Microsoft said on Wednesday it is looking into a report of a vulnerability in Windows 7 and Server 2008 Release 2 that could be used by an attacker to remotely crash the computer.

The company is investigating claims of a "possible denial-of-service vulnerability in Windows Server Message Block (SMB)," the Microsoft spokesperson said, adding that the company was unaware of any attacks trying to exploit the hole.

The bug triggers an infinite loop on the Server Message Block (SMB) protocol used for sharing files in Windows, researcher Laurent Gaffié wrote in a posting on the Full-Disclosure mailing list and on a blog.

"Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting NBNS [NetBIOS Naming Service] tricks," Gaffié wrote.

Gaffié also posted proof-of-concept code for the "Windows 7, Server 2008R2 Remote Kernel Crash."

On Tuesday, Microsoft issued six patches to fix 15 vulnerabilities, including a critical hole in the Windows kernel, as part of November's Patch Tuesday.

Corporate IT departments should be pleased with new security measures in Windows 7, but consumers are still at risk of getting hit by malware despite changes in the User Account Control (UAC) feature designed to help people be smarter when using applications, security experts say.

Probably the most talked about security change in Windows 7, scheduled for public release on Thursday, are modifications to the UAC, which was introduced in Vista. The UAC was designed to prevent unauthorized execution of code by displaying a pop-up warning every time a change was being made to the system, whether by the operating system or a third-party application.

Vista users complained that they were bombarded with the warnings and security experts speculated that as a result, many people were just ignoring them or turning them off.

With Windows 7, users can choose how often they want to be notified and the default is set to notify only when a third-party application is making a change, as well as when a change is being made to the UAC itself.

However, an attacker could use code injection and exploit several components in Windows 7 that auto-elevate to bypass UAC and get full access to the machine, experts have warned.

A Sophos white paper from September says: "Another issue with these default (UAC) settings is that malware could bypass the system by injecting itself into a trusted application and running from there. Indeed, some malware has been observed spoofing UAC-style prompts to obtain user permission to operate unimpeded."

Chester Wisniewski, a senior security adviser at Sophos, reiterated points made in the white paper and said Microsoft should also drop its practice of hiding file extensions by default, which makes it easy for users to be duped by malware.

"The changes to Windows 7 UAC have made it easy for malware writers to turn UAC off entirely without the user's knowledge. Microsoft recommends keeping UAC turned on and yet allows malware to turn it off without the user's knowledge," writes Ray Dickenson, chief technology officer at Authentium, in a recent blog post.

"If malware is on the computer, hasn't the game already been lost? Why worry about UAC if a password-stealing Trojan is on your computer?" Dickenson writes. "The answer lies in the difficulties inherent in identifying a program as goodware or malware."

Jon DeVaan, senior vice president of the Windows Core Operating System Division, attempted to address the concerns in a blog post from February: "We know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system. We know that Windows 7 and IE8 together provide improved protection for users to prevent malware from making it onto their machines... and we know that UAC is not 100 percent effective at stopping malware once it is running."

In a study of two groups of "regular people" testers, one group using the default setting and the other using the "Always Notify" setting, there was "no meaningful difference in malware infestation rates between the two groups," DeVaan wrote.

However, that was a limited test and it doesn't rule out the possibility that malware will find its way onto systems and try to elevate privileges.

David Sancho, a senior antivirus researcher at Trend Micro, noted that while the UAC changes in Windows 7 will improve the user experience by cutting back on the number of alerts, the operating system will be responsible for making more decisions about system changes, which won't always be good for the user.

Going forward, the real test of security in the near future is the browser because so many attacks and malware infections are now coming from the Web, he added.

"Internet Explorer 8 is lagging behind the rest of the browser vendors," Sancho said. "I see that as a pain point in the future...that can hold up the security of the overall system."

Asked to comment on the concerns, a Microsoft spokesman said in an e-mail: "Windows 7 is not designed to be a security boundary that prevents malware already on the system from making changes to a user's system. What it is designed to do is make users running with administrative rights, and software developers, more aware when software is attempting to perform an operation that requires full administrative rights...UAC is a security feature only in so far as it helps an increasing number of home and corporate users run in standard user accounts."

For enterprises, Windows 7 offers several interesting security boosts, experts said.

First off, the new operating system addresses an issue that has created headaches for administrators at corporations affected by Conficker and even the U.S. Department of Defense--viruses that spread via USB drive. With Windows 7, most USB drives will not be able to automatically launch a program using a Windows feature known as AutoRun, also known as AutoPlay.

However, some specialized USB flash drives present themselves as CD or DVD drives to the operating system and will still be able to use AutoRun. Because of that, Patrik Runald, senior manager of security research at Websense, said Microsoft should disable the feature entirely. "I don't think they went far enough," he wrote in an e-mail.

And Windows 7 offers BitLocker to Go encryption support for USB drives for the Ultimate and Enterprise editions. It protects the data in case the USB drive is lost or stolen.

The operating system also features an enhanced security controls interface called Windows Action Center that provides more "actionable advice around how to work with firewalls" and other security issues, Wisniewski said.

To see screen shots from Windows Action Center visit this CNET Reviews slide show.

Meanwhile, several security vendors said that working with Microsoft on product support went well for Windows 7.

For example, developers at Kaspersky Lab found it easier to provide support for Windows 7 than for previous versions of Windows because of the early availability of the beta version and the fact that there were relatively minor changes made in the operating system functionality during the beta testing process. "Microsoft did everything to help developers optimize their products for Windows 7," Kaspersky said in a statement.

Correction at 9:02 a.m. PDT: Patrik Runald's name was initially spelled incorrectly in this post.

Security in Windows 7

See what security features are new and improved in Windows 7 in this slideshow, emphasizing what you can do from the Action Center's security tools.

Microsoft released a record number of 13 bulletins for 34 vulnerabilities on Patch Tuesday--and the first critical update for Windows 7--as well as fixes for zero-day flaws involving Server Message Block (SMB) and Internet Information Services (IIS).

The most severe of the three SMB flaws, which were first reported last month, could allow an attacker to take control of a computer remotely by sending a specially crafted SMB packet to a computer running the Server service. Exploit code for one of the SMB holes has been posted to the Web, Microsoft said.

Windows 7 is affected by two critical patches intended to mend vulnerabilities that could allow remote code execution if a malicious Web page were viewed, one part of a cumulative security update for Internet Explorer and the other in .Net Framework and Silverlight.

The official release date for Windows 7 is October 22, but the new operating system has been available to some large businesses with volume licenses since the summer. The code was finalized in July.

Other critical patches in the security bulletin for October fix a vulnerability in Windows Media Runtime that could be exploited if a user opened a malicious media file or received malicious streaming content from a Web site or application, and if a specially crafted ASF (Advanced Systems Format) file is played using Windows Media Player 6.4.

Among the critical updates: a cumulative security update of ActiveX Kill Bits that is being exploited and that affects ActiveX controls compiled using Active Template Library (ATL); and another patch resolving several vulnerabilities in ATL ActiveX Controls that could allow remote code execution if a user loaded a malicious component or control. ActiveX and ATLs were the subject of an emergency patch Microsoft released in July.

The final critical bulletin fixes a hole in Windows GDI+ (Graphics Device Interface) that could allow an attacker to take control of a computer if the user viewed a malicious image file using affected software or browsed a malicious Web page.

"Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows, and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse-engineer today's patches, which may very well lead to exploits being created," said Dave Marcus, director of security research and communications at McAfee Labs.

Related "For the Record" podcast, with Symantec's Ben Greenbaum
Listen now: Download today's podcast

Nine of the vulnerabilities were previously disclosed, which meant that attackers had time to come up with so-called "zero-day" exploits before the patches were available, Marcus noted.

The most alarming vulnerability in the mix is the SMB flaw, which was introduced by the patch for a different vulnerability, according to Josh Phillips, virus researcher at Kaspersky Lab.

Andrew Storms, director of security operations at nCircle, said the bug that is likely to have the biggest impact will be the critical one that affects Windows Media Runtime and involves a speech codec bug that has limited exploits in the wild. "This is a typical file-parsing issue and similar to vulnerabilities that have allowed attackers to create drive-by attacks that infect unsuspecting video viewers," he said.

Meanwhile, the critical SMB vulnerability is relatively difficult to exploit given default firewall conditions, but the IIS bugs are easy to exploit, Storms added.

"The sheer volume of the bulletins and patches is extreme," said Jason Miller, senior data team leader for Shavlik Technologies. "This is really going to affect administrators. It's going to be very challenging because of the time and research that's going to be needed" to patch systems.

Also released were five bulletins rated "important" to fix vulnerabilities in IIS, for which exploit code has been publicly released and for which there have been limited attacks, along with Windows CryptoAPI, Windows Indexing Service, Windows Kernel, and Local Security Authority Subsystem Service.

The update for Windows CryptoAPI relates to flaws in the way domain names are verified on the Internet, which could allow attackers to impersonate a site and steal information from unsuspecting Web surfers. The holes were revealed by researchers Dan Kaminsky and Moxie Marlinspike at Defcon in August.

Affected software includes Windows 7; Windows 2000; Windows XP; Windows Vista; Server 2003 and 2008; Office XP, 2003, and 2007; Microsoft Office System; SQL Server 2000 and 2005; Silverlight; Visual Studio .Net 2003; Visual Studio 2005 and 2008; Visual FoxPro 8.0 and 9.0; Microsoft Report Viewer 2005 and 2008; Forefront Client Security 1.0; and Office software including Visio, Project, Word Viewer, and Works.

The installation also removes the Win/FakeScanti Trojan, which displays fake malware warnings and then asks computer users to pay for fake antivirus software.

(For more information and analysis from Symantec, listen to my colleague Larry Magid's podcast.)

Update: This story was updated at 2:15 p.m. PDT with additional comment and at 11:47 a.m. PDT with more details and reaction from experts.

Microsoft said on Tuesday that it is investigating reports of a zero-day vulnerability affecting Windows 7 and Vista.

The flaw in Windows 7 could allow an attack which would cause a critical system error, or "blue screen of death," according to researcher Laurent Gaffie.

Gaffie wrote in his blog that the flaw lies in a Server Message Block 2 (SMB2) driver.

"SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality," wrote Gaffie in a blog post Monday.

Gaffie said he had contacted Microsoft. Comments on his blog by other users said that the flaw could lead not only to denial of service, but could also lead to remote code execution.

Microsoft said in a statement on Tuesday that it was investigating, but said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."

Computer security publication "The H" wrote on Tuesday that its German sister publication had tested the proof-of-concept code, and that while the exploit had caused a reboot on Vista, the exploit had not worked on Windows 7.

Metasploit creator HD Moore said in a tweet on Tuesday that an SMB bug appeared to have been introduced into Vista SP1. Coder Josh Goebel said in a blog post that he had added the exploit code to Metasploit.

Tom Espiner of ZDNet UK reported from London. CNET News' Ina Fried contributed to this report.

(Credit: Dong Ngo/CNET)

Alex Kochis, Microsoft's director of Genuine Windows, posted a blog late Thursday addressing the "leak of a special product key" of Windows 7 RTM (release to manufacturers). This confirmed the rumor on Tuesday that an ISO file of Windows 7 RTM sent to Lenovo that contains a master key--a number used to verify the authenticity of the software--was leaked to the Internet.

According to the blog, "The key is for use with Windows 7 Ultimate RTM product that is meant to be preinstalled by the OEM (original equipment manufacturer) on new PCs to be shipped later this year. As such, the use of this key requires having a PC from the manufacturer it was issued to. We've worked with that manufacturer so that customers who purchase genuine copies of Windows 7 from this manufacturer will experience no issues validating their copy of Windows 7. At the same time we will seek to alert customers who are using the leaked key that they are running a non-genuine copy of Windows. It's important to note that no PCs will be sold that will use this key."

This means the hacked key will still work, though it will likely be identified, presumably when the computer with this version of the hacked Windows 7 OS installed connects to download updates from Microsoft.

Kochis said Windows 7 includes an improved capability to detect activation exploits and it should be able to alert the customer when the leaked version or other hacks are used to install Windows 7 on a PC.

He added, "Our primary goal is to protect users from becoming unknowing victims, because customers who use pirated software are at greater risk of being exposed to malware as well as identity theft. Someone asked me recently--and I think it's worth noting here--whether we treat all exploits equally in responding to new ones we see. Our objective isn't to stop every "mad scientist" that's out there from dabbling; our aim is to protect our customers from commercialized counterfeit software that impacts our customers' confidence in knowing they got what they paid for."

Personally, I don't see what Microsoft can do now that the key and the ISO is out in the wild, other than wait for a system installed with that copy of Windows 7 to connect to its update servers. In the meantime, it can issue another key to OEMs to make sure they don't use they leaked key and hope that consumers will buy its genuine product and, of course, pay the full price for it.

It's safe to say that we probably have to wait for a service pack of the operating system to be sure that this leak is fully addressed. In the meantime, this leaked key could still pose a big problem if the hackers are able to alter the ISO and sell it as counterfeit retailed package of the OS. In this case, customers will only find out that they don't have an genuine copy, if they ever do, when it's too late.

Microsoft only just released final code for Windows 7 to manufacturers and the company is already facing a security risk.

The Windows Genuine Advantage antipiracy system in the Windows 7 Ultimate release to manufacturers (RTM) has reportedly been compromised by some Chinese hackers, according to a variety of Chinese forums, and first reported by Neowin.com.This means the user can fully activate the software offline without connecting to Microsoft's activation server.

The software's RTM code is generally the same as the retail code, which will be available to the public in October. PC makers tend to get the final product with plenty of time in advance of the launch to make their products ready on the launch date.

It must have been a complicated process, but in a nutshell, hackers reportedly used the leaked ISO file to get hold of the activation certificate that Microsoft digitally signed for the original equipment manufacturer, or OEM version of Windows 7. It's rumored that the key that got hacked is one that can be used to activate multiple OEM-branded installations, such as Dell's, HP's, or, of course, Lenovo's.

I am no fan of the activation, (it's a pain when you change computer parts, which I do very frequently) but this is rather upsetting news. I am sure, in no time, you will be able to buy a copy of Windows 7 in China or Vietnam for less than a dollar.

Addressing this, Microsoft released a this statement to CNET News:

We are aware of reports of activation exploits that attempt to circumvent activation and validation in Windows 7, and we can assure customers that Microsoft is committed to protecting them from counterfeit and pirated software. Microsoft strongly advises customers not to download Windows 7 from unauthorized sources. Downloading Windows 7 from peer-to-peer Web sites exposes users to increased risks--such as viruses, Trojans, and other malware and malicious code--that usually accompany counterfeit software. These risks can seriously harm or permanently destroy data and often expose users to identity theft and other criminal schemes.

A pirated version of Windows 7 Release Candidate infected with a Trojan horse has created a botnet with tens of thousands of bots under its control, according to researchers at security firm Damballa.

The software, which first appeared on April 24, spread as quickly as several hundred new bots per hour, and controlled roughly 27,000 bots by the time Damballa took over the network's command and control server on May 10, the firm said Tuesday.

The pirated software was spread via popular piracy sites and online forums, Damballa said.

The software is primarily designed to download and install other malicious packages under a "pay-per-install" scheme, under which the botmasters are paid based on the number of other pieces of malware they cause to be installed, Damballa said.

Infected installations are continuing to appear at a rapid rate, according to the company.

"We continue to see new installs happening at a rate of about 1,600 per day with broad geographic distribution," Tripp Cox, Damballa's vice president of engineering, said in a statement. "Since our takedown (of the command and control server), any new installs of this pirated distribution of Windows 7 RC are inaccessible by the botmaster."

However, the botmaster still controls the existing installations, Damballa said. The infected systems are mainly concentrated in the U.S., with 10 percent, and the Netherlands and Italy, with 7 percent each.

Windows 7 RC has been used as a lure by other malware distributors since its launch on May 5, according to security experts. On Monday, Trend Micro said it found the Trojan horse TROJ_DROPPER.SPX masquerading as a copy of the release candidate.

Botnets are one of the most serious threats on the Internet, according to security experts, and are typically used to carry out denial-of-service attacks or phishing schemes or to send junk mail. Last month, SecureWorks researcher Joe Stewart suggested that technology was not enough to stop botnets, arguing that the IT industry should look to new law-enforcement measures.

The legitimate version of Windows 7 RC is available from Microsoft's Web site.

Matthew Broersma of ZDNet UK reported from London.

Images: A peek at Windows 7 release candidate