Windows 7 Zero-Day Attack

Microsoft Security Advisory (977544) – Vulnerability in SMB Could Allow Denial of Service

Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol that affects:

  • Windows 7 for 32-bit Systems
  • Windows 7 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems*
  • Windows Server 2008 R2 for Itanium-based Systems

This vulnerability cannot be used to take control of or install malicious software on a user’s system and Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

What is Server Message Block Version 2 (SMBv2)?
Server Message Block (SMB) is the file sharing protocol used by default on Windows-based computers. SMB Version 2.0 (SMBv2) is an update to this protocol, and is only supported on computers running Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. SMBv2 can only be used if both client and server support it. If either client or server cannot support SMBv2, the SMB 1.0 protocol will be used instead. The SMB protocol version to be used for file operations is decided during the negotiation phase. During the negotiation phase, a Windows client advertises to the server that it can understand the new SMBv2 protocol. If the server understands SMBv2, then SMBv2 is chosen for subsequent communication. Otherwise the client and server use SMB 1.0 and continue to function as normal. For more information on SMBv2, see the MSDN article, Server Message Block (SMB) Version 2 Protocol Specification.

What is the difference between SMBv1 and SMBv2?
Both protocols are used by clients to request file and print services from a server system over the network. Both are stateful protocols in which clients establish a connection to a server, establish an authenticated context on that connection, and then issue a variety of requests to access files, printers, and named pipes for interprocess communication. The SMBv2 protocol is a major revision of the existing SMB protocol. While many of the underlying concepts are the same, the packet formats are completely different. In addition to providing all of the capabilities found in SMBv1, the SMBv2 protocol provides several enhancements:

  • Allowing an open to a file to be reestablished after a client connection becomes temporarily disconnected.
  • Allowing the server to balance the number of simultaneous operations that a client can have outstanding at any time.
  • Providing scalability in terms of the number of shares, users, and simultaneously open files.
  • Supporting symbolic links.
  • Using a stronger algorithm to validate the integrity of requests and responses.

What causes this threat?
The vulnerability is caused by the Microsoft Server Message Block (SMB) protocol software insufficiently validating all fields when parsing specially crafted SMB packets.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could cause a user’s system to stop responding until manually restarted.

Can this vulnerability be exploited using Internet Explorer?
No. However, this issue may be exploited through Web transactions, regardless of browser type. In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. A user that browsed to that Web site will force an SMB connection to an SMB server controlled by the attacker, which would then send a malicious response back to the user. This response would cause the user’s system to stop responding until manually restarted. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes them to the attacker’s site.

Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:


Block TCP ports 139 and 445 at the firewall

These ports are used to initiate a connection with the affected component. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all SMB communications to and from the Internet to help prevent attacks. For more information about ports, see TCP and UDP Port Assignments.

Impact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:

  • Applications that use SMB (CIFS)
  • Applications that use mailslots or named pipes (RPC over SMB)
  • Server (File and Print Sharing)
  • Group Policy
  • Net Logon
  • Distributed File System (DFS)
  • Terminal Server Licensing
  • Print Spooler
  • Computer Browser
  • Remote Procedure Call Locator
  • Fax Service
  • Indexing Service
  • Performance Logs and Alerts
  • Systems Management Server
  • License Logging Service

How to undo the workaround. Unblock TCP ports 139 and 445 at the firewall. For more information about ports, see TCP and UDP Port Assignments.

Microsoft Security Advisory (977544)…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: