Is the Ping Of Death Back?


Looks like Laurent Gaffié, a black or white hacker (pick up the correct version), has found a serious bug in Microsoft’s new file sharing protocol aka SMB2.0. I would say another bug because unfortunately this SMB2 security issue is specifically due to a MS patch, for another SMB2.0 security issue:KB942624 (MS07-063)

It’s a true zero-day vulnerability! Full disclosure and exploit are publicly available on the Internet at Laurent’s blog.

Systems affected:
Windows Vista All (64b/32b|SP1/SP2 fully updated), Win Server 2008 < R2, Windows 7 RC.

Workaround:
Disable SMB2.0 protocol if not needed by setting this reg key:[HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
“SMB2″=dword:00000000

Check Microsoft Security Advisory:
http://www.microsoft.com/technet/security/advisory/975497.mspx

Mark Minasi came up with a good remark on his blog:

…when people trying out the exploit on Windows 7 and Server 2008 R2 RTM systems (that’s the great thing about a zero-day exploit:  everyone gets to be a “security researcher!”) found, to their surprise, that those systems were not vulnerable to the Killer SMB.  So read the tea leaves with me and ask, what does that mean? Well, clearly it means that at least someoneat Redmond recognized that SMB 2.0 had a bug, and a serious one, and fixed it in Windows 7/Server 2008 R2… but not in Vista and Server 2008, for some reason.  But what was that reason?  The best possible spin is that the programmer who found the bug simply never put the “if it’s a Vista SMB 2.0 bug, it’s a Win 7 SMB 2.0 bug” pieces together and moved the information up the chain.  A less friendly spin would note that Microsoft has one of the most iron-clad change command systems around, and that the big players just said, “heck, we can’t have anotherembarrassing Vista story — let’s sweep this one under the rug and hope that Apple never mentions it in the next PC/Mac advertisement.” That’s an even particularly creepier thought since the Microsoft security bulletin reveals that an attacker exploiting this bug could not only bluescreen a system but in fact could take complete control of that system.   I’m sure we’ll never know the whole story.

Do you think Laurent did it well to publish this bug without giving the vendor enough time to publish a patch?

What do you think about the fact that this bug doesn’t affect Windows 7/Server 2008 R2?

Advertisements

About PiroNet

Didier Pironet is an independent blogger and freelancer with +15 years of IT industry experience. Didier is also a former VMware inc. employee where he specialised in Datacenter and Cloud Infrastructure products as well as Infrastructure, Operations and IT Business Management products. Didier is passionate about technologies and he is found to be a creative and a visionary thinker, expressing with passion and excitement, hopefully inspiring and enrolling people to innovation and change.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s