Looks like Laurent Gaffié, a black or white hacker (pick up the correct version), has found a serious bug in Microsoft’s new file sharing protocol aka SMB2.0. I would say another bug because unfortunately this SMB2 security issue is specifically due to a MS patch, for another SMB2.0 security issue:KB942624 (MS07-063)
It’s a true zero-day vulnerability! Full disclosure and exploit are publicly available on the Internet at Laurent’s blog.
Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC.
Disable SMB2.0 protocol if not needed by setting this reg key:[HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
Check Microsoft Security Advisory:
Mark Minasi came up with a good remark on his blog:
…when people trying out the exploit on Windows 7 and Server 2008 R2 RTM systems (that’s the great thing about a zero-day exploit: everyone gets to be a “security researcher!”) found, to their surprise, that those systems were not vulnerable to the Killer SMB. So read the tea leaves with me and ask, what does that mean? Well, clearly it means that at least someoneat Redmond recognized that SMB 2.0 had a bug, and a serious one, and fixed it in Windows 7/Server 2008 R2… but not in Vista and Server 2008, for some reason. But what was that reason? The best possible spin is that the programmer who found the bug simply never put the “if it’s a Vista SMB 2.0 bug, it’s a Win 7 SMB 2.0 bug” pieces together and moved the information up the chain. A less friendly spin would note that Microsoft has one of the most iron-clad change command systems around, and that the big players just said, “heck, we can’t have anotherembarrassing Vista story — let’s sweep this one under the rug and hope that Apple never mentions it in the next PC/Mac advertisement.” That’s an even particularly creepier thought since the Microsoft security bulletin reveals that an attacker exploiting this bug could not only bluescreen a system but in fact could take complete control of that system. I’m sure we’ll never know the whole story.
Do you think Laurent did it well to publish this bug without giving the vendor enough time to publish a patch?
What do you think about the fact that this bug doesn’t affect Windows 7/Server 2008 R2?