Mark Minasi's Windows Networking Tech Page
Issue #81 September 2009

What's Inside

News
- Join Me At a Seminar
Tech Section
- Killer B's (SMBs, that is) On the Way
To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

I never thought I'd be saying this again, but... apparently someone found a bug in Microsoft's new-and-improved version of the file server service, SMB 2.0, and I'm sure that'll lead to a new and nasty worm, so it's time to do a bit of Registry tweaking to batten down the hatches. But first, a word from our sponsor...

Current Seminars

The Complete Two-Day "Running an R2-Based Active Directory" Seminar Comes to Charlotte, San Francisco and Chicago in February, March and April at a Discount Rate

After a very successful one-day "beta" version of my new AD class (many thanks to our December attendees!), I got some material shaken down and found out what topics I needed to add to create a two-day AD class that you'll find a cost-effective use of your time. To kick off the new complete version of the class, I'm running sessions in Charlotte, SF and Chicago and knocking $100 off every seat.

As Active Directory enters its "tweens," most AD admins and managers have moved from "how do I design and set this up?" to "now that I'm in charge of somebody else's 10-year-old AD, how can I most easily and cheaply manage it, fix it, and streamline it?" I get (and answer) those questions all the time, and now I can answer them for you. Join me for a fun, fast-paced two day of AD setup, management, upgrading and troubleshooting. The course includes some in-depth DNS and AD troubleshooting, expert advice on safely virtualizing DCs, a practical, example-rich dive into solving AD admin problems with PowerShell, a quick review of the latest thinking on AD design and R2 upgrade, and in-depth discussions of R2's most significant "hey, I want that!" AD-related features. Everyone who's been asking for this class over the past year have been so patient that as a small "thank you," I'm running the first three sessions at $100/seat below the normal rate. The first run takes place in Charlotte (Feb 20-21), San Francisco (March 19-20), and Chicago (2-3 April), and if you're thinking of signing up, consider doing so early -- I was surprised to find that I had to close registration on the Seattle and New York classes last December. (The classes outgrew the hotel conference rooms we'd booked and there wasn't any place to move them to at that point.)

Find the course outline here and then you can sign up here. I hope to see you in Charlotte, San Fran, or Chicago!

Three New Audio Sets

Many of you couldn't make it to my Win 7, R2 or Cloud Computing talks, so we've got them available as audio sets:

With the holidays just around the corner, could you possibly imagine a better stocking stuffer?

My Free Replacement for Steady State... Steadier State

I know that a lot of you really miss Steady State, the tool that lets you essentially create virtual machine "snapshots," but on a physical copy of Windows like a classroom lab PC, public library workstation, kiosk PC etc, and that lets you un-do all of the mess done to a Windows box in under four minutes with no admin interaction needed. So I created what I call Steadier State. Put it on a PC, get it the way you like it, and snapshot the machine. Then turn it loose on the public for as long as you like, and reboot it. One of the reboot options will be "Roll Back Windows," and if you choose that, then in under four minutes everything that the users did is completely un-done. Give it a try at http://www.steadierstate.com.

Tech Section: Killer B's (SMBs, that is) On the Way

This week, we got news of a vulnerability that will, I think, sort of take you back nearly a couple of decades to the Ping of Death. Basically we found out that you can send just one malformed packet to a Vista or Server 2008 system, and that system bluescreens. Relax, though... again, this seems to only attack Vista and Server 2008 and, yeah, I know, it's just me and five other people who are using Vista. (Fortunately for me, though, I'm not using 2008 because I've been waiting for R2 and I moved to Windows 7 a few weeks ago.)

Seriously, though, this points to a serious screwup on Microsoft's part and, if I'm reading the tea leaves right, a downright irresponsible response to it on their part, worsened by an irresponsible hacker who posted information about that screwup and example exploit code without first informing Microsoft. If you're in a hurry, though, the short version is that Vista and 2008 Server systems are at risk, but the vulnerability lies in the file server service, and because very few folks are brave enough to expose file server service-related TCP ports 139 and 445 to the Internet, the fact is that any widespread attack won't get terribly far. Furthermore, a simple Reg hack shuts down SMB 2.0 on any Vista or later system. On to the details...

Last Monday, a ~~security researcher~~ hacker named Laurent Gaffié posted a report on his blog (http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html) revealing that trying to start up an SMB 2.0 session with a malformed packet would bluescreen a Windows system. (SMB 2.0 is the improved, faster version of the familiar old NET USE-related file server software that we've been using in Microsoft networks since 1985.) Gaffié's announcement in this manner was a sleazy thing to do, as the fair way to announce a vulnerability in an OS is to tell the OS vendor and give them the time to release a patch before bragging to the world about your wondrous find. (Imagine if Dan Kaminsky had sold his sure-fire DNS poisoning exploit strategy when he conceived of it in early 2008 instead of first getting all of the DNS vendors on board and only then explaining it at Black Hat last summer. Heck, Kaminsky could have sold the exploit to the highest bidder and become a rich man -- but didn't.) Just to ensure his place in the Dirtbags Hall of Fame, Gaffié even posted a bit of sample exploit code in the blog post. Good work, Laurie; you are a god in the eyes of millions of disaffected wannabe hackers. Enjoy the adulation, pal; how many jerks can say that they launched a true zero-day attack?

Meanwhile, last Monday was, as we all know, Patch Tuesday Eve, and thus far too late for Microsoft to include Gaffié-exploit-relevant patches with the "in-band" ones that Microsoft releases on the second Tuesday of every month. (Could that timing have been on purpose? Naaah.) How'd Microsoft respond? By saying that

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation..."

"Possible" gives the response a disquieting large-company-unaccountability feel, as anyone with a Python interpreter could try out the sample code in the blog post in oh, about one minute, provided they had access to a Vista or Server 2008 system with a naked port 135 or 445. Good heavens, Microsoft, it's time to ring the alarm bells, not say "uh, yeah, we're looking into it!" But, as I see it, Microsoft looked even worse a couple of days later when people trying out the exploit on Windows 7 and Server 2008 R2 RTM systems (that's the great thing about a zero-day exploit: everyone gets to be a "security researcher!") found, to their surprise, that those systems were not vulnerable to the Killer SMB. So read the tea leaves with me and ask, what does that mean?

Well, clearly it means that at least someone at Redmond recognized that SMB 2.0 had a bug, and a serious one, and fixed it in Windows 7/Server 2008 R2... but not in Vista and Server 2008, for some reason. But what was that reason? The best possible spin is that the programmer who found the bug simply never put the "if it's a Vista SMB 2.0 bug, it's a Win 7 SMB 2.0 bug" pieces together and moved the information up the chain. A less friendly spin would note that Microsoft has one of the most iron-clad change command systems around, and that the big players just said, "heck, we can't have another embarrassing Vista story -- let's sweep this one under the rug and hope that Apple never mentions it in the next PC/Mac advertisement." That's an even particularly creepier thought since the Microsoft security bulletin reveals that an attacker exploiting this bug could not only bluescreen a system but in fact could take complete control of that system. I'm sure we'll never know the whole story.

Anyway, what should you do, assuming you have Vista and/or Server 2008 systems in-house? Obviously it's never a great idea to expose TCP ports 139 or 445 to the big scary Internet, so if someone's convinced your mother to turn her Vista firewall off, tell her to turn it back on. On a larger scale, the Microsoft security bulletin reveals a Registry hack to disable SMB 2.0 while leaving the unaffected SMB 1.0 stack running. Apparently adding a new REG_DWORD entry "smb2" to the HKLM\SYSTEM\CurrentControlSet\ Services\Lanmanserver\ Parameters key and setting that entry to 0, then restarting the Server service kills SMB 2.0 while leaving SMB 1.0 intact. (Just delete the entry and restart the Server service to undo it.) Let me clarify that as I write this, there is no Internet-crawling worm based on this exploit... yet. Nevertheless, I'd hasten to disable SMB 2.0 on any of my Vista or 2008 systems before the "killer SMB" worms appear.

And you thought it was going to be a quiet Monday.

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

Mark Minasi's Windows Networking Tech Page Issue #81 September 2009