Non-critical 0-day For Windows 7 Disclosed

A new 0-day flaw in the Microsoft’s SMB protocol implementation in Windows 7 and 2008/R2 was published by Laurent Gaffié on Wednesday of last week, one day after Microsoft’s November Patch Tuesday. The flaw was acknowledged on Friday by Microsoft as KB977544.

The exploit involves tricking an end user to click on a link to a server with a malicious configuration, which causes the machine to become unresponsive requiring a reboot. The flaw is unrelated to the recent SMBv2 problem (MS09-050). The recommended workaround at the moment is to prohibit outgoing traffic for the ports used by SMB 139 and 445 with a firewall. This type of egress filtering is already considered a best practice, but such a configuration involves additional work and I doubt that it is consistently implemented.

However, the vulnerability is not very "useful" as it involves user interaction and "only" locks up the target machine. A typical attacker that goes through the work of tricking users to click on a link will use an exploit that allows him to control the target machine after execution. For Microsoft the vulnerability represents a trigger to review and improve the part of the SDL process that did not catch the flaw.

Laurent is doing excellent security research work here on Windows 7 just as 2 months ago, but the discussion on "full" vs. "responsible" disclosure will certainly be revived by his post. While we do not know the exact details for Laurent’s exchange with Microsoft, we believe that "responsible disclosure" is the more productive mechanism to improve Internet security by fostering collaboration.

References:

• ISC blog post – great information
• Qualys ID 90569