Microsoft confirms critical unpatched Vista, Windows 7 RC bug

Doesn't affect Windows 7 or Server 2008 R2 RTMs, or older versions like 2000 and XP

Microsoft late Tuesday confirmed that a bug in Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2, could be used to hijack PCs.

The vulnerability in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows, was first disclosed late Monday, when a researcher posted exploit code he claimed crashed Windows Vista and Windows 7 systems, causing the dreaded "Blue Screen of Death."

Later in the day, several researchers, including Tyler Reguly, a senior security engineer of nCircle Network Security, vouched that tests showed the attack code crashed machines running Vista, Server 2008 and the Windows 7 and Server 2008 R2 release candidates, but not the final, or RTM, versions of the latter two.

Also on Tuesday, another researcher, Ruben Santamarta, said on the Bugtraq mailing list that the vulnerability was not only a denial-of-service flaw, but also allowed remote code execution, security-speak for a bug that could be used to jack a machine.

In a security advisory issued around 9 p.m. ET Tuesday, Microsoft corroborated both Reguly's and Santamarta's findings.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory said.

"Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

Microsoft also noted that while the release candidates of Windows 7 and Windows Server 2008 R2 are vulnerable, the RTM, or release to manufacturing, editions are not.

The RTM versions of Windows 7 and Windows Server 2008 R2 are the ones that were handed over to computer makers in late July, and issued to volume license customers, and some developers and IT professionals in early August.

The release candidates, on the other hand, have been widely distributed, with millions of users downloading Windows 7 RC during the three and a half months it was available to the public.

"This vulnerability was reported after the release of Windows 7 Release Candidate," Microsoft's advisory noted. "Customers running this platform are encouraged to review this advisory and follow the steps listed here."

Earlier versions of Windows, including Windows 2000, XP and Server 2003 are also safe, since they do not use SMB 2.

Microsoft said it is working on a patch for the SMB 2 vulnerability, but did not spell out a timeline. Its regularly-scheduled September updates were issued Tuesday about 1 p.m. ET; the next expected batch of patches isn't due until Oct. 13.

Until a patch is available, Microsoft recommended that users disable SMB 2 by editing the Windows Registry -- a task too daunting for most consumers -- or block TCP ports 139 and 445 at the firewall.

Doing the latter will cripple several important services or applications, including the browser, Microsoft acknowledged.

Even though the flaw exists and exploit code is in circulation, some researchers were upbeat.

"At the moment I think the default configurations are going to provide enough mitigation for most users, those being the default firewall configurations since Windows XP SP2," said Andrew Storms, nCircle's director of security operations, in an instant message late Tuesday.

Hackers who manage to get within the perimeter of a network, however, may find easy pickings.

"The key to a good attack would be to get in on the inside, where enterprises have host-based firewalls disabled," he said.

The SMB 2 vulnerability isn't the only Microsoft bug that's gone public, but has not been patched. Last week, Microsoft announced it was working on a fix for a flaw in the FTP (file transfer protocol) server included in the company's popular Internet Information Services (IIS) Web server.

Microsoft has confirmed that hackers are already using exploits of the FTP bug to attack Web servers.

Join the CSO newsletter!

Error: Please check your email address.

Tags Windows Vistaexploits and vulnerabilitiesMicrosoftsecurityWindows 7microsoft patches

More about etworkMicrosoftnCirclenCircle Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place