New SMB bug: How to crash Windows system with a 'link of death' US CERT on Thursday issued a security advisory warning that all currently supported versions of Windows are vulnerable to a memory corruption bug that can be exploited to crash computers from afar. "Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined …
> Nobody at Microsoft really knows how SMB file sharing actually works any more
MS like all typical big businesses with a corporate mindset got rid of the staff that originally worked on most of windows core anyway. Even the dude who wrote the core of MS Word is long gone now.
MS made redundant their expertise in return for short term profit, and if you really understand capitalism, the ever lasting light bulb and the Phoebus Cartel, you'll know these are nothing more than deliberate actions on the part of MS, but your EULA means you cant sue them.
It would be illogical to draw any other conclusion.
https://en.wikipedia.org/wiki/Phoebus_cartel
They are the corporate heroin dealers of software, you want to leave and use another operating system, but you cant as the software you need, doesn't exist elsewhere.
You want an alternative but they just don't exist, the same conformity that ushered in the Nazi's is now being used against you, people are lazy, they have been told you cant go wrong with MS, it used to be you cant go wrong with IBM, tomorrow it will be some other company you have yet to hear of.
Face it, we are all corporate clones with just enough intelligence to recognise some problems but not enough intelligence to come up with a solution.
you cant sue them"....Except where it fails on the ground of statute law
You could in theory sue them, yes. But under UK rules that lawyers have to abide by, they'll want proof that you can pay your own and Microsoft's costs if you lose. In the putative case of Syntax vs Microsoft, no lawyer would be allowed to take the case unless you're a billionaire. Nobody would even take the case on through a no-win, no-fee basis, because you or they would still be exposed to Microsoft's costs if you lost. The only way that statute law can be used in civil cases against Microsoft are:
a) Small claims they can't be arsed to defend, for perhaps a couple of hundred notes
b) Where the state takes a civil case against Microsoft
c) Where a third party litigation funder will finance the case (and take most of any settlement)
And there are companies that exist solely as litigation funders. But they are an extension of the patent trolling industry. You only go to these people when you've got a bullet proof, high value case yet nobody else will touch it. And even then, you still need to find a law firm with the competence to take on the legal A-listers that big companies will happily pay for. Sadly, you and I have little or no redress against big companies if they want to take a stand.
Note for US readers: In the UK, in a civil law case, the losing party usually has to pay the winning party's legal costs. That normally works much better than the US "each to pay their own" system, in that it discourages risky or frivolous cases, but it does mean that your lawyer has to believe (or in high value cases, have proof) you can cover the costs of both sides before a lawyer will take the case.
@Ledswinger - The EULA may be void in many jurisdictions and depending on the jurisdiction a nasty civil suit may be much easier to get started. Also, there may criminal statutes that could come in play for various jurisdictions. All it really takes is for someone to file the nuclear lawsuit in the Slurp in a legally unfriendly jurisdiction to have the hammer drop very hard. US is probably friendlier for certain types of cases but check local product liability laws particularly the criminal ones.
Lose a couple of major lawsuits and watch the legal beagles salivate worldwide because much of the work has already been done in another jurisdiction. Think VW in the US, if anyone wishes to come after VW most of the legal work has been done for you by the ferals free of charge. Slurp's primary defences seem to be inertia and FUD - too lazy to make the change away and to scared to sue when you have a strong case under local laws. It only takes a few in both areas to break the logjam and whole rotten edifice to crash.
Surely they have an obligation to provide things with reasonable care / skill / fitness for purpose - which becomes debatable if the supplier knows of a flaw, can rectify it, yet chooses not to? For services, the UK wording is
"where the supplier is acting in the course of a business, there is an implied term that the supplier will carry out the service with reasonable care and skill"
If the EULA tries to get out of those duties, it will fail the statute law test, surely?
I imagine over the years that MSs code auditors simply atrophied into complete immobility and sustained for a while by life support systems that were later eliminated through budget cuts. Their naturally mummified remains were uncovered by cleaning staff recently but their identities remain a mystery as all records concerning them were expunged.
I have little sympathy for anyone still using Windows at this point. At one point, people had to use Windows. Now there are plenty of options on the server side and Mac/Chrome OS/Linux (not to mention Android and iOS) on the end user side. You don't have to go get some Linux distro from a small company or no company if that concerns you. You can buy an OS with enterprise support from Apple or Google, the number one and two most valuable companies in the world (pretty enterprise legit). People who use Windows anyway should just expect this sort of thing.
At work, I use excel all day, often with large amounts of data so that even excel for windows creaks under the strain. What is your replacement?
At home, I game. What is your replacement?
It's all very well saying that your use case is supportable under mint flavoured gnome sized penguins but computers are used for a lot of things[citation needed]
"At work, I use excel all day, often with large amounts of data so that even excel for windows creaks under the strain. What is your replacement?"
Answer - Google Apps (G Suite). It runs on a cluster of servers. If you are working with large amounts of data on a PC, you are doing it wrong. Data belongs on servers.
"At home, I game. What is your replacement?"
Answer - PS4.
>Malicious server inside the firewall.
I thought he was referring to the Windows (client) firewall, given SMB was (is?) a local LAN service. But thinking about it you are probably correct, although I'm not sure why I would want to run a malicious server as a vm inside the Windows firewall.
"SMB was (is?) a local LAN service"
Generally but it relies on IP addressing, unlike the old Netware protocol which wasn't routeable. This extract from TFA doesn't mention any such restrictions:
This can be done by tricking a victim into clicking on a malicious link to a share in an email in Outlook, or by embedding in a webpage an invisible image with a source URL to an evil file server and getting the mark to visit the site using Internet Explorer, for example."
"You CAN route IPX"
Yes. Your IPX address(es) are generally the MAC address of the interfaces and they are associated with a subnet address of the form aabbccdd ie 32 bit. See https://en.wikipedia.org/wiki/Internetwork_Packet_Exchange for details.
I get flashbacks nowadays when setting up IPv6 (mmm RIPnSAP vs SLAAC) 8)
Not really suprising as the former was inspired by the later but for PCs, when they weren't powerful enough for full fat unix
Netware, like many networking systems targetted at workstations was based on Xerox Network System (XNS), which was designed for use on LANs ie. over high-speed low-error media such as Ethernet (another Xerox invention that was inspired by ALOHAnet), unlike TCP/IP. Additionally
As for PC's not being powerful enough for full fat Unix, that's an interesting take on the computing scene in the 1970's and early 1980's when these protocol suites were being developed...
re: "his can be done by tricking a victim into clicking on a malicious link to a share in an email in Outlook, or by embedding in a webpage an invisible image with a source URL to an evil file server "
Yes I read that and did scratch my head, I admit I did dismiss it as hype (ie. making the danger seem greater than it really is). But then the only times I've used SMB and other local network services over the Internet has been via VPN and hence effectively still on the same subnet.
But then given the pressure to enhance the Apple Bonjour discovery service to support multiple subnets, it is hardly surprising that such local subnet services will deliver unexpected surprises when enhanced to support wider access.
"Not really suprising as the former was inspired by the later but for PCs, when they weren't powerful enough for full fat unix"
Is'nt it more that people couldn't afford UNIX?
Also indeed - who allows smb through the perimeter firewalls, and if it needs to be a local melicious smb share you need an other vulnerability to get that going.
I was referring to a firewall at the network boundary, blocking outgoing SMB traffic. If I have malicious server inside the firewall I'm f*d anyway, no matter whether or not my SMB client layer is buggy (e.g. because such server could hijack DHCP and then apply MitM rather than exploit SMB, to list one of many possible attack scenarios). To prevent against that threat, a half-solution could be to setup IPsec + DNSsec on the internal network, but really? Do I have to go there in the context of the vulnerability discussed here, I am not even full-time network administrator for f* sake! If I was I wouldn't be asking stupid questions, like the one above.
"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible"
That must be that AC we used to see here so often, who no matter how bad MS was would always defend them and would say stuff like ".DOC virus infecting millions of users in 2016 isn't at all bad, Unix is worse coz in the 1970's Unix had some pretty nasty bugs too!" or somesuch..
"We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection" ref
Ah, good ol Dan Goodin. Haven't seen his byline around here in a while and was kinda wondering where he was :) As to using Edge/IE-any-version or Win-any for protection? When a nasty .DOC can still compromise the OS? I got your security right there -->
"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible"
Sounds like a Microsoft contraction... they are going to proactively update impacted devices, just as soon as someone tells them about it.
Including a full rewrite of the Win95 shutdown bug!
Ok, I've spent some time googling and cannot find a reference to it (surprisingly "windows 95 ie shutdown bug" brings up a ton of links! But from what I recall, there was a but that a specific code in a web page would cause 95 to either shutdown or reboot (or maybe bluescreen?) if the page was visited using IE.
Which somehow made today's story sound kinda familiar...
The bug that comes to mind is the "file:///con/con" one. And that was very 9x specific as it had to do with DOS pseudo-device handling, probably somewhere deep inside VMM32.VXD or DOS itself.
By the way, Win10 isn't a complete rewrite and noone at MS has ever claimed it is... No idea what the origins of this myth is, but it pops up on Reg forums (and nowhere else!) from time to time. Usually about Win7 though.
By the way, Win10 isn't a complete rewrite and noone at MS has ever claimed it is... No idea what the origins of this myth is, but it pops up on Reg forums (and nowhere else!) from time to time. Usually about Win7 though.
I would swear that I had seen some madvertising or other text from MS themselves claiming this (or at least someone from MS quoted as such in an interview or something), but I cannot find it so could be quite wrong on that. It would make more sense that 8 was supposed to be a rewrite.
I stand corrected, and will not spread the myth that Win10 was claimed to be a rewrite until I see something from MS claiming as such.
I personally don't think any OS should be "rewritten from scratch", but rather that code should be improved, new features maybe added (even if you save a pile of them up as a "new release"). As code gets re-visited it (generally) gets tightened, improved in speed, size and security. Re-writing from scratch opens up all sorts of avenues for new bugs to be generated.
Win7 continued and improved, with a couple of new UI options (could've then given them 8x/10 as bolt-on UI's, though maybe the UI is too tied into the core OS in Windows for that?), some tighter code, improved libraries where needed while keeping the base API's the same... I wouldn't be singing MS's praises, but I'd certainly have a lot less hatespeak directed at them! :)
(Would still love the functionality, speed, security and flexibility that Linux gives me, but another 10 years of development on 7 and maybe it would've nearly gotten there :) )
@Kiwi: "I've spent some time googling and cannot find a reference to it"
'On Aug. 27, 2004 .. Mr. Allchin had announced .. that they would "reset" Longhorn using a clean base of code that had been developed for a version of Windows on corporate server computers.'
The problem with Windows is that it has been deliberatly written in spaghetti style to prevent others easily cloning it. In the process Microsoft created the Frankenstein of Operating Systems.
The quote might be referring to MinWin (a refactoring effort, basically) or something similar originally, before going through various journalist filters... I have never seen any official communication claiming a rewrite - quite the opposite in fact: https://channel9.msdn.com/shows/Going+Deep/Arun-Kishan-Farewell-to-the-Windows-Kernel-Dispatcher-Lock/
The server versions basically just differ in what software ships with it, by the way. The kernel is identical and the userland fundamentals are the same, though with Server Core release you don't get a GUI by default.
As to supposed intentional spaghetti style - I have read quite a bit of Windows source code and certainly never seen any sign of that. It's overall pretty darn decent and well-organized, with peaks and lows. The kernel for example is veeery well-organized and neat, to the point where it's almost uncomfortable to read.
$ sudo python2 Win10.py
From: ('10.200.14.130', 52057)
[*]Negotiating SMBv2.
[*]Negotiate Protocol SMBv2 packet sent.
[*]Session challenge SMBv2 packet sent.
From: ('10.200.14.130', 52058)
[*]Negotiate Protocol SMBv2 packet sent.
[*]Session challenge SMBv2 packet sent.
[*]Triggering Bug; Tree Connect SMBv2 packet sent.
Disconnected from ('10.200.14.130', 52058)
BSOD on Windows 2012 R2 server VM in my attic. Worked across a routed pair of subnets. I simply started the little python app and typed \\my_laptop_ip into Explorer.
"All cool, but how would you exploit it "
That was a fully patched machine that died. I gather the fix is due this patch Tuesday.
I predict life for sysadmins in places like schools and colleges will get interesting for a while. Not to mention what a disgruntled employee might get up to. I hope your kids are on a separate VLAN as well ...
Now how many here, let alone "out there", have proper egress default deny rules on their WAN links.
"it won't work over the internet "
It can work over the internet for most people. Very few people bother with a default deny egress rule, well they probably do have one implied but it will have an allow all outbound in front of it *sigh*
\\w.x.y.z and \\host.example.co.uk will all find the other end across routers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
