Microsoft confirms critical unpatched Vista, Windows 7 RC bug

Computerworld - Microsoft late Tuesday confirmed that a bug in Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2, could be used to hijack PCs.

The vulnerability in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows, was first disclosed late Monday, when a researcher posted exploit code he claimed crashed Windows Vista and Windows 7 systems, causing the dreaded "Blue Screen of Death."

Later in the day, several researchers, including Tyler Reguly, a senior security engineer of nCircle Network Security, vouched that tests showed the attack code crashed machines running Vista, Server 2008 and the Windows 7 and Server 2008 R2 release candidates, but not the final, or RTM, versions of the latter two. Also on Tuesday, another researcher, Ruben Santamarta, said on the Bugtraq mailing list that the vulnerability was not only a denial-of-service flaw, but also allowed remote code execution, security-speak for a bug that could be used to jack a machine.

In a security advisory issued around 9 p.m. ET Tuesday, Microsoft corroborated both Reguly's and Santamarta's findings.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory said. "Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

Microsoft also noted that while the release candidates of Windows 7 and Windows Server 2008 R2 are vulnerable, the RTM, or release to manufacturing, editions are not.

The RTM versions of Windows 7 and Windows Server 2008 R2 are the ones that were handed over to computer makers in late July, and issued to volume license customers, and some developers and IT professionals in early August.

The release candidates, on the other hand, have been widely distributed, with millions of users downloading Windows 7 RC during the three and a half months it was available to the public.

"This vulnerability was reported after the release of Windows 7 Release Candidate," Microsoft's advisory noted. "Customers running this platform are encouraged to review this advisory and follow the steps listed here."

Earlier versions of Windows, including Windows 2000, XP and Server 2003 are also safe, since they do not use SMB 2.

Microsoft said it is working on a patch for the SMB 2 vulnerability, but did not spell out a timeline. Its regularly-scheduled September updates were issued Tuesday about 1 p.m. ET; the next expected batch of patches isn't due until Oct. 13.

Until a patch is available, Microsoft recommended that users disable SMB 2 by editing the Windows Registry -- a task too daunting for most consumers -- or block TCP ports 139 and 445 at the firewall. Doing the latter will cripple several important services or applications, including the browser, Microsoft acknowledged.

Even though the flaw exists and exploit code is in circulation, some researchers were upbeat. "At the moment I think the default configurations are going to provide enough mitigation for most users, those being the default firewall configurations since Windows XP SP2," said Andrew Storms, nCircle's director of security operations, in an instant message late Tuesday.

Hackers who manage to get within the perimeter of a network, however, may find easy pickings. "The key to a good attack would be to get in on the inside, where enterprises have host-based firewalls disabled," he said.

The SMB 2 vulnerability isn't the only Microsoft bug that's gone public, but has not been patched. Last week, Microsoft announced it was working on a fix for a flaw in the FTP (file transfer protocol) server included in the company's popular Internet Information Services (IIS) Web server.

Microsoft has confirmed that hackers are already using exploits of the FTP bug to attack Web servers.

Read more about Security in Computerworld's Security Topic Center.