Windows 7, which was publicly released Oct. 22, has been hit by at least two security flaws.
One of these lets hackers execute code remotely; the other lets them trigger an infinite loop remotely, causing a kernel crash.
Both are flaws in SMBv2, security researcher Laurent Gaffie, who posted details about them on his blog, told TechNewsWorld.
The Windows 7 Bugs
SMB, or Server Message Block, is a Microsoft file-sharing protocol used in Windows. It is most often used with the NetBIOS transport protocol over TCP/IP. SMBv2 is a major revision of the SMB protocol, using different packet formats from SMBv1 and adding several enhancements.
Microsoft posted Security Advisory 977544 on Nov. 13, which stated the company is investigating reports of a possible denial of service vulnerability in the SMB protocol. The vulnerability affects Windows 7 running on 32-bit and x64-based systems, and Windows Server 2008 R2 running on x64-based and Intel Itanium-based systems. The vulnerability may be exploited through Web transactions using any browser, the security advisory stated.
However, hackers cannot use the vulnerability to take control of or install malicious software on a user’s system, the advisory noted. Microsoft is developing a security update to address this vulnerability, although it declined comment on how critical this flaw is. “We cannot comment on the severity of the issue at this time,” Dave Forstrom, group manager of public relations for Microsoft Trustworthy Computing, told TechNewsWorld.
This exploit is more of a nuisance than anything else, Wolfgang Kandek, chief technology at Qualys, told TechNewsWorld. It involves tricking an end user to click on a link to a server with a malicious configuration, and it only locks up one machine, he pointed out. “An attacker who goes through the trouble of tricking users to click on a link will use an exploit that allows him to control the target machine after execution,” Kandek explained.
Forstrom would not confirm that the fix was posted in response to Gaffie’s blog.
Redmond also pointed to a National Vulnerability Database listing of a bug in the kernel that lets remote SMB servers cause a denial of service in computers running Windows Server 2008 R2 and Windows 7. This attack comes through an SMBv1 or SMBv2 port containing a NetBIOS header with an incorrect length value, the listing stated.
The kernel flaw is under review for inclusion in the Common Vulnerabilities and Exposure (CVE) section of the National Vulnerability Database.
Gaffie Lists Windows Gaffes
Gaffie discovered both flaws while working on other issues with Microsoft and other vendors, he said. He released the information “to make sure Microsoft acknowledges security issues and patch the flaws as soon as possible and with transparency,” he explained.
On Nov. 11, Gaffie published news of denial of service flaw in Windows 7 on his blog. This triggers an infinite loop on SMBv1 or SMBv2, and it is the flaw referred to in the National Vulnerability Database listing.
This bug can be triggered from outside a user’s local area network by hackers using Internet Explorer, Gaffie wrote. “The bug is so noob, it should have been spotted two years ago by the SDL if the SDL had ever existed,” he wrote.
SDL is the Security Development Lifecycle. It is part of Microsoft’s Trustworthy Computing Initiative. “The SDL is useful, and provides more secure software to users, but in this case it failed, as Microsoft probably focused way too much on Internet Explorer and the Office suite, and critical services run with kernel privileges such as SMB are not well covered by this process,” Gaffie said.
Microsoft could have discovered this flaw easily, Gaffie said. “If they’d launched a fuzzer on SMB, they would have found the bug in two minutes,” he explained. Gaffie was referring to fuzz testing, a software testing technique that provides invalid, unexpected or random data to the inputs of a program. File formats and network protocols are the most common targets of fuzz testing.
On Sept. 7, Gaffie had posted news about an SMBv2 flaw that could let attackers remotely crash any machine running Windows Vista or Windows 7 with SMB enabled.
It’s All Par for the Course
Software development is a process, Microsoft’s Forstrom said. “It’s impossible to completely prevent all vulnerabilities during software development. Microsoft’s SDL process is intended to reduce the number of vulnerabilities in software as well as reduce the severity and impact of the ones that occur,” he explained.
“There will always be security problems in any operating system,” Michael Cherry, senior analyst at Directions on Microsoft, told TechNewsWorld. “There’s a real tendency with Windows 7 right now to analyze it to death. It’s been less than a month since its release. We need to let a year go by before we come to any conclusions.”