Microsoft confirms 'detailed' Windows 7 exploit

Microsoft confirms 'detailed' Windows 7 exploit

Summary: Exploit code for the vulnerability was released by researcher Laurent Gaffié after failed attempts to get Microsoft's security response center to acknowledge that this was an issue that needs to be patched.


Microsoft has issued a security advisory to acknowledge a crippling denial-of-service flaw affecting its newest operating systems -- Windows 7 and Windows Server 2008 R2.

Exploit code for the vulnerability was released by researcher

Following the publication of stop responding until manually restarted.

Here's an explanation of the cause of the vulnerability:

The kernel in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers to cause a denial of service (infinite loop and system hang) via a (1) SMBv1 or (2) SMBv2 response packet that contains a NetBIOS header with an incorrect length value.

The vulnerability can be exploited via the Web:

In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user. This response would cause the user's system to stop responding until manually restarted. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker's site.

In the absence of a patch, Microsoft recommends that affected users block TCP ports 139 and 445 at the firewall.  Windows users should also block all SMB communications to and from the Internet to help prevent attacks.


Topics: Software, Browser, Microsoft, Operating Systems, Security, Software Development, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ummm interesting....

    so just block 139 and 445...

    445? great that port aggain.

    Is SMB blocked to/from internet by th firewall by default?
    • Typically not blocked

      <i>Is SMB blocked to/from internet by the
      firewall by default?</i>

      No, typical SOHO routers typically allow all
      traffic initiated from the inside.

      In this case - because the "attack" would
      require the user to click on the malicious link
      on a malicious web page - the request would
      actually be initiated by the local machine.

      To block this you would need to block traffic
      targeting port 445 at the perimeter firewall.
      This is typically already done on corporate

      Local OS firewalls (on each machine) can also
      be set to block such traffic. But that may
      disrupt regular file sharing on corporate or
      home networks. If using Vista or Windows 7 this
      can be mitigated to only block the ports on
      "public" networks.

      However, this is NOT a serious bug. A malicious
      website can freeze your machine if they can
      fool you into 1) visiting the site AND 2) click
      on the malicious link.

      But that is ALL they can do. Once you realize
      that a certain site "freezes" your machine you
      will probably stop visiting it, eh?

      An infinite loop can not be used for malicious
      payload. <b>This is NOT an arbitrary code
      execution bug</b>. It is not a memory
      corruption bug, stack overflow or anything like
      • so 445 and 139...

        Is always allowed on public networks?

        bah... at least it's just some infinit loop....

        Just in case though I will go block 445 and 139 for internet access on my father's computer...
        • No, they are always blocked

          for <i>incoming</i> traffic on perimeter
          firewalls such as SOHO routers and corporate
          firewalls. Always.

          Actually, I just checked Windows 7 outbound
          rules, and it is by default set to <i>not
          allow</i> file sharing traffic (SMB1 and-2) on
          designated <i>public</i> networks.

          Which means that the only "vulnerable"
          (remember - this one cannot infect you with
          aanything it can merely freeze the machine)
          configuration will be

          1) a machine on a designated "home" or
          "work/domain" network where the perimeter
          firewall DOES NOT block 445 and 139 outgoing
          (in this case the machine firewall will allow
          outgoing SMB requests).

          2) a machine in a non-default configuration
          where the admin has misconfigured the firewall

          3) a machine where the user has answered the
          public/home/work network question wrongly.

          Bring your machine to a coffee shop and hook it
          up to the wifi and <i>it will not be
          vulnerable</i> to this DOS attack. EDIT:
          Because the <i>Public</i> profile in the
          firewall will <b>block the ports both incoming
          and outgoing</b>.
          • Tought so...[NT]

          • you should qualify "will not" in the sentence used

            You really need to qualify the "will not be vulnerable" in the sentence where you use it.

            You mean: [i]Bring your machine to a coffee shop, hook it up to the wifi, and set that network connection as a PUBLIC location, and then you won't be vulnerable to this DOS attack.[/i]

            which would also normally beg to have the "because" .... followed by... the public location setting will disable 139/445 by default where as home and office choices won't. ... etc....
          • You are correct. Thanks <nt>

          • Good follow-up

            I like the way you followed up on this. Good job.

            And you got it right, in every conceivable way.

            It's not surprising that Microsoft ignored this until the exploit was published. All it does is crash a session if it <i>ever</i> occurs. It should never happen to anybody who has the least idea what they're doing. I suppose some data lose could occur if it does, but only because of having to perform an improper shutdown.

            This so-called exploit is pretty far-fetched. You really do have to go out of your way to make your LAN vulnerable on purpose. Use VPN to access your LAN via internet.
      • No, that's simply wrong in every way.

        [B]Local OS firewalls (on each machine) can also
        be set to block such traffic.[/B]

        Nope, a default firewall on a client machine should block EVERY SINGLE listening port, and you only open if you need them. Of all the windows users out there, probably 80% never share a thing.

        [B]However, this is NOT a serious bug[/B]

        Until they use this in a different way.

        Any firewall by anyone (and I would lambaste ANY default firewall in Linux on a client machine) that doesn't block all incoming ports is wrong.

        • If you're going to correct someone

          you should perhaps understand the issue at hand. Again, incoming traffic from "public" networks, ie the internet, is blocked on all ports. Only ones you specifically allow are open and listening. However that is not the bug [b]AT ALL[/b].

          You have to navigate to an IP address on a Windows file share that has the exploit enabled. So you'd have to go to \\ and it would have to be triggered from your own machine. Whatever ports you are listening on makes absolutely no difference, this is not a remote execution attack on your home PC. It also doesn't cause any elevated priviliges or ability to run code on a remote PC. It simply locks up the PC.

          While I think it needs to be fixed you should probably understand what is going on before you tell someone they're wrong.
          • Just Curious

            what made you pick ?
        • Yep, you are wrong

          The default firewall should (and does) block
          every single listening port, <i>unless</i> you
          are sharing resources, like on a <i>home</i>
          network. In that case it should allow <i>only
          those ports</i>. And that is exactly what
          Windows Vista/7 firewalls do. They are aware of
          to what type of network they are connected

          Let me repeat this: <b>An infinite loop cannot
          be exploited in any other way than to eat up
          CPU </b>. Got that?

          Repeat: This bug <b>can not be exploited to pwn
          a single machine</b>. None, zilch, nada.
          • You were unclear.

            I wrote the question below. I don't have Windows of any flavor, but what you wrote led me to question...

            [B]for incoming traffic on perimeter
            firewalls such as SOHO routers and corporate
            firewalls. Always. [/B]

            Implying it wasn't a problem because of that so default incoming open was OK, which it isn't, so we all agree, lol.

            All the rest of your post is outbound discussion. Now, I know what an endless loop is, however, nobody has leveraged one exploit to find another, which was my long term concern if the firewall is open on incoming by default.

          • I apologize

            There are so many MS detractors swarming the
            talkbacks on any MS subject and most of them
            are willfully ignorant. They just want to
            spread FUD and don't care much for the
            technical details.

            I answered you in a little too brisk way. I
            apologize for that.

            Let me see if I can explain this.

            1) A infinite loop has never and will <b>never
            be able to carry malicious payload</b>. The
            "worst" it can achieve is to eat up CPU *or* if
            it happens inside a critical section it can
            hold a crucial lock on a system forever.
            Suggesting that new details can emerge which
            can make this more serious is simply FUDing.
            There is nothing to suggest such thing. Never
            has been.

            2) All Windows machines except those on
            corporate/home networks and which are sharing
            files/printers/media <i>for others to use</i>
            block these ports <i>incoming</i>. This means
            that attacks <b>can not be launched from the
            Internet without user intervention</b> against
            any machine on a corporate/home network.
            Windows Vista/7 on public network <i>also</i>
            blocks the ports incoming.

            3) If a machine <i>inside</i> a corporate/home
            network came under the control by an attacker
            (through some other attack as this one can not
            be used to pwn a machine), an attacker
            <i>could</i> use this vuln to denial-of-service
            attack 2008R2 file sharing servers and Windows7
            machines sharing files. If the attacker has
            control of a machine in your network, this is
            probably the least of your concerns.

            4) Windows 7 firewall blocks the relevant ports
            <i>outgoing</i> on public networks. It also by
            default blocks them <i>outgoing</i> on
            corporate/home networks until the user wants to
            use shared resources elsewhere, at which point
            it turns on "network file sharing".


            A. The default settings of Windows7 and the
            normal practices on corporate network firewalls
            and SOHO routers <i>will block</i> any attack
            <i>from the outside</i>. Bar some gross
            misconfiguration, an attacker from the Internet
            cannot attack any machine without social

            B. An attack is possible by leveraging social
            engineering combined with this bug. To be

            1. The PC must be on a home network (or a
            corporate network with a weak perimeter
            firewall) and "network file sharing and
            discovery" has to be turned on.

            2. The attacker must then trick the user into
            visiting a maliciously constructed web page.

            3. On that page the attacker must trick the
            user into clicking a malicious constructed
            (SMB) link.

            4. At that point the users PC will reach out
            <i>through the firewalls</i> and contact the
            server of the attacker. This server will
            respond with an invalid and malicious packet.
            When handling the response the attacked machine
            will enter an infinite loop.
          • Actually..

   can also be used to exacerbate race
            conditions in poorly designed code.
      • Yay, looks like MS finally did it right this time, with Windows 7.. oh wait

        • Re: Yay.................

          Just like "Mac" did!!

          "Mac OS X patch covers 58 security vulnerabilities!"

          You do realize people in glass houses "shouldn't throw stones!!"

          Now, tonight, when you go to bed repeat this little prayer to your Mac god. Mac is good, Mac is great, and we thank you for the "HYPE!" Amen.
          • Fuck your stupid little Macs.

            They're almost as bad as Windows.
  • It's started already.

    I don't think MS could release a bigger sieve if they tried to. And to think, a person has to pay for such insecurity. 7 is a POS. From the user interface down to the core. At least Vista had a decent UI. 7 will prove to be the worse offering yet from MS.
    • Doubtful.

      "I don't think MS could release a bigger sieve
      if they tried to."

      Everybody is a sieve. It's only really a matter
      of how many people want to find holes in it.
      Microsoft happens to be a favorite target.

      "And to think, a person has to pay for such

      The benefits of using Windows 7 outweigh the
      risks in many cases.

      "7 is a POS."

      7 is great.

      "From the user interface down to the core."

      The interface is the best I've seen. The core
      is actually quite good - most exploits you hear
      of are generally not in the core. This just
      happens to be an exceptional case.

      . . . and exceptional cases are generally what
      drives the news, hence why it's on ZDNet.

      "At least Vista had a decent UI."

      Most people like 7's UI better than Vista. I
      think it's a great UI.

      " 7 will prove to be the worse offering yet
      from MS."

      It's already growing far faster than Vista did
      at the same point, and from what I'm seeing,
      most people think it's far better than Vista.