Microsoft was doing a little bit of crowing earlier this week, politely mentioning to everyone that Windows 7, the new version of its desktop operating system, did not have any security patches in this month’s release. Unfortunately, the glow didn’t last too long. As reported in an article by PC World, and a diary posting at the SANS Internet Storm Center, a new “zero-day” vulnerability (meaning a vulnerability for which an exploit is published before a fix is available) has been discovered in the Windows 7 implementation of Microsoft’s SMB network protocol. SMB, which stands for Server Message Block, is used to implement Windows shares, among other things. This flaw is also present in Windows Server 2008 R2.
Although the exploit code, as originally posted, did not work (perhaps intentionally, as the SANS posting suggests), it is easy to repair it so that it does. With the corrected exploit, it is possible to create a “toxic” file share on the network, such that any machine which browses to the share will be locked up, in an infinite loop. Blocking Windows sharing at the network firewall, probably a good idea in most cases anyway, provides some but not total mitigation.
Fortunately, as far as I have been able to tell, the vulnerability can only be exploited to effectively crash systems; that is, for a denial of service attack. The PC World article says, and I basically agree, that this flaw is unlikely to be widely attacked, because it is of little substantive value to the bad guys. In a way, this is a reflection of how the threat landscape on the Internet has evolved over the past few years. At one time, when the main threat came from amateur hackers, this might have become quite a popular attack, because of its considerable nuisance value. Today, however, when most malicious activity is directed toward more traditional criminal objectives (like theft), this is not likely to turn into a big deal — although I’m sure Microsoft finds it embarrassing.