Microsoft: SMB 2.0 hole does affect Vista, not Windows 7
A security advisory issued by Microsoft late yesterday takes to task a security consultant for a British ISP who apparently, and possibly even accidentally, discovered a way that the Server Message Block 2.0 driver can trigger an instant Windows crash. Rather than report the incident directly to Microsoft, Laurent Gaffié went public with his findings first, in such a way that appears to have triggered the enthusiasm of the black-hat side of the security community.
"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," reads yesterday's Security Advisory 975497. "We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."
The problem appears to be this: Should the SMB 2.0 driver in Windows Vista and Windows Server 2008 receive a message header whose contents may have been shifted by one character, such that an ampersand (&) that belongs elsewhere ends up instead in the high word of the Process ID field, the driver may crash and take the operating system down with it. Yesterday, Microsoft acknowledged that this issue affects 32- and 64-bit versions of Windows Vista and Windows Server 2008, with or without all service packs installed.
But all versions of Windows 7 and Windows Server 2008 R2, both of which have just released to manufacturing, are explicitly included in the "Non-Affected Software" category, verifying independent security researchers' findings that the newest kernels and the latest drivers for those kernels apparently do filter out the shifted &. Gaffié's original report, based on snapshots we saw carried on other blogs, only mentioned Vista as the affected OS, and only speculated on Windows Server 2008. In later versions of that same report, someone -- perhaps not Gaffié -- added a "7" in the affected OS list, leading many blogs to trumpet their news that a pre-release Windows 7 hole had been found. At least one blog went on to speculate that the "discovery" would force Microsoft to suspend Win7's October 22 general availability release date.
Evidence from the real world, however, suggests this will not happen.
As temporary workarounds until Microsoft can assemble a patch for the fault, the company suggests that administrators either effectively uninstall SMB 2.0, by way of a System Registry patch that replaces the "on" setting for the driver with a zero; or setting their firewalls to block incoming traffic from TCP ports 139 and 445. Non-administrators or non-expert users of Vista are advised to set their network profiles to Public, which is a catch-all setting that blocks all unsolicited inbound packets, including from these two ports.