Microsoft patching zero-day Windows 7 SMB hole

Microsoft on Friday said it is working on a fix for a vulnerability in the Server Message Block file-sharing protocol in Windows 7 and Windows Server 2008 Release 2 that could be used to remotely crash a computer.

The software giant had said on Wednesday that it was looking at the bug, discovered by researcher Laurent Gaffié, who published proof-of-concept code on a blog.

"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this [denial-of-service] vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted," Dave Forstrom, group manager for public relations at Microsoft Trustworthy Computing, said in a statement. "It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue."

Microsoft is not aware of attacks to exploit the hole at this time, he said.

In an advisory, Microsoft criticized the way Gaffié handled the discovery.

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," the advisory said. "We continue to encourage responsible disclosure of vulnerabilities."

The advisory suggests that customers block Transmission Control Protocol, or TCP, ports 139 and 445 at the firewall, as a workaround until a patch is ready.

[Vegaman_Dan]

Start your engines! Who will be the first to say that Apple is better because it doesn't have flaws?

[Super2online]

It's tough being the most successful software company in the world. You become the target for every Tom, Dick, and Harry looking for another excuse to throw mud to make themselves feel better. But thats ok, we should let them have their moment. It's not easy being jealous, ya know?

[ckurowic]

I'll be the first to say you have no life.

[slickuser]

Microsoft should fix the remaining 6 holes as soon as possible.

[Random_Walk]

"Seven hours and the only one to mention fruit is the Vege....."

Well, they are in the same food group. ;)

[rationalreview]

Apple and third party fails again. Just got this email from a University I'm an alumni of. iclicker, which is utilized by millions of students and thousands of Colleges.
Attention Mac Users: IMPORTANT NOTICE ABOUT SNOW LEOPARD!

It has come to our attention that the early release of the latest upgrade to Apple's operating system, OS X v10.6 (Snow Leopard), causes significant compatibility issues with eInstruction clickers. As it is difficult to revert back to a previous version of the operating system, we highly recommend that eInstruction users DELAY UPGRADING TO SNOW LEOPARD until eInstruction®can address these issues and provide full support for our family of products.

[Vegaman_Dan]

@Random_Walk:

I see you failed to see the point here. I brought up the MSFT vs Apple issue in hopes that people would realize how silly and stupid it is to debate such things endlessly. And baed on the comments here so far, that attempt was successful. :)

[grabacontroller]

Nothing is perfect including you.

[n3td3v]

Gaffié hope you're happy with your self nobody else is

[Lerianis3]

I am happy with him..... he did the right thing in this case, 3 days almost is more than enough time to send out a super-critical patch for an issue like this via Windows Update, especially since this flaw shouldn't have been in SMB in the first place.

[n3td3v]

"3 days almost is more than enough time to send out a super-critical patch for an issue like this via Windows Update"

You don't know much do you about what goes into it to roll out a patch on a world-wide scale in such a widely used product. It cannot be done in three days, it takes a least a month minimum to verify the vulnerability, documentation prepared, the patch developed and tested to meet the requirement.

If Microsoft rushed a patch and it wasn't to the correct standard and it crashed every system world-wide, there would be an outcry.

There is no excuse for what Gaffié did, he has no respect for Microsoft, its customers or internet security and the security industry of security professionals.

Keep in mind security professionals need to test the Microsoft patches in-house before they get rolled into individual corporate networks even if a patch is released.

It's everybody affected by such bad disclosures as this not just Microsoft. If you think this is teaching Microsoft a lesson its not, its a sure way to get everyone in the security industry not to like you though.

Security professionals are happy with the required time it takes Microsoft to release a patch, it cannot be done any faster than it is currently.

Gaffié is a loner on this issue if he thinks direct action will change corporate policy, its border-line cyber-terrorism.

[Gold_Storm_Mac]

no comment

[n3td3v]

I was speechless as well when I seen Gaffié's timeline:

November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug
shouldn't appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released

[rationalreview]

dummy, that is a comment. Anyone ever wanted to know the frequencey of size of OSX updates see here: http://support.apple.com/downloads/#macosx104
Most updates are plus 100mb's and many over 300mb's. Also, their naming and filing systems for it are, well, out dated.

[Vegaman_Dan]

@Gold_Storm_Mac:

"No comment"

In the response to your comment of "no comment," I have only this to say:

No response necessary.

[shellcodes_coder]

This is not a zero-day hole: Windows 7 Hole Was Not a 'Zero-Day Exploit': http://www.pcmag.com/article2/0,2817,2355864,00.asp

And unlike OS X users we don't have to wait for months and downloads 100s of MB of security updates. Kudos to Microsoft :)

[subslug]

Yeah, really great work Microsoft. You rock!

Shocking story that they released software that had security problems.....it's not like them.

[Vegaman_Dan]

Oh come on now, Apple releases lots of security updates- they just aren't called that. Most updates hese days come through updates for iTunes. It's a very good vector for making OS changes with updates that don't call attention to themselves.

But you know what? I don't care as long as the products get updated however it happens.

[shellcodes_coder]

"It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue." Enough!!

[Mr. Dee]

Default Firewall settings, IE Protected Mode, Installed and Updated Antivirus, UAC, using a Limited User Account, behind hardware based firewall/NAT and Microsoft is releasing a patch on top of it, I don't see why anybody should be making a really big deal about this. Its not like the OS is purposely deleting personal data in accounts on the system requiring a 468 MB update to fix it.

[shellcodes_coder]

True, completely agree with you

[Super2online]

What, Apple's OS deletes files the user didn't request deleted? Hmmm, sounds like Apple needs to check those "I'm a PC, I'm a Mac" ads for accuracy, because we all know they wouldn't mislead anyone would they.

[rationalreview]

+1, plus everyone knows they are underhanded and lie in those commercials anyhow. Only Apple users really say, "yes, we are secure and we don't have problems, exept I have to disable this thing to make this thing work, and stand on my head while singing mary had a little lamp with one eye closed to get this other thing to work", but they believe it.

[RD1956]

I have yet to see an operateing system that does not have some type of flaw. Given enough time. Someone will find a flaw and exploit it.

[Mr. Dee]

Tell that to Justin Long

[Lerianis3]

True.... the only way that an operating system will NOT have flaws is if a computer is writing the whole operating system, and the computer itself doesn't have any 'logic' errors', like humans make on occasions since they are fallible beings.

[gertruded]

Trust Me.

[gertruded]

Trust Me.