Microsoft confirms SMB2 vulnerability, warns of code execution risk

The vulnerability, which was originally released as a denial-of-service issue, does not affect the RTM version of Windows 7, Microsoft said.    It appears Microsoft fixed the flaw in Windows 7 build ~7130, just after RC1.  Windows Vista and Windows Server 2008 users remain at risk.

The Microsoft advisory is somewhat confusing.  It mentions the plural "vulnerabilities" in the title but later warns of "a possible vulnerability in Microsoft Server Message Block (SMB) implementation."

[ SEE: Windows 7, Vista exposed to 'teardrop attack' ]

It is, however, very clear about the risk severity:

An attacker who successfully exploited this vulnerability could take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.

[ SEE: Microsoft patches gaping Windows worm holes ]

Microsoft points to this CVE entry to explain the actual bug:

Array index error in the SMB2 protocol implementation in srv2.sys in Microsoft Windows 7, Server 2008, and Vista Gold, SP1, and SP2 allows remote attackers to cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location.

Proof of concept code, which allows an attacker to remotely crash any vulnerable machine with SMB enabled, is publicly available.

In the absence of patch, Microsoft recommends that users disable SMB v2 and block TCP ports 139 and 445 at the firewall.