Mark Minasi's Windows Networking Tech Page
Issue #81 September 2009

What's Inside

News
- Join Me At a Seminar
Tech Section
- Killer B's (SMBs, that is) On the Way
To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

I never thought I'd be saying this again, but... apparently someone found a bug in Microsoft's new-and-improved version of the file server service, SMB 2.0, and I'm sure that'll lead to a new and nasty worm, so it's time to do a bit of Registry tweaking to batten down the hatches. But first, a word from our sponsor...

Two-Day Windows 7 and Server 2008 R2 Classes: Ottawa February 22/24 2010, Dallas March 22/24 2010, and Charlotte NC March 30-April 1

My new two-day Windows 7 desktop support class and my two-day Server 2008 R2 support class are coming to Ottawa in late February, Dallas and March and Charlotte in late March. Why attend? Well...

On 22 October, Microsoft officially released Windows 7 and Server 2008 R2. As is always the case, new versions of Windows may offer opportunities for many — but not all — organizations, and so it's worthwhile learning enough about Windows 7 and Server 2008 R2 to determine if they're right for your organization. But how to get that research done in the least amount of time? Well, there's the hard way -- work your way through a pile of white papers and Web pages written by well-meaning but not terribly technical marketing people -- or you could take the easy way out and join me at one or both of my new seminars, where you'll get the independent scoop (and even a few laughs).

The first new seminar, Windows 7 for Support Professionals, gets you up to speed quickly on everything new on the Win 7 desktop — deployment changes, new admin tools, brand-new security and networking features, and so on. If, on the other hand, your focus is on server software, then our second new class, Installing, Managing and Troubleshooting Windows Server 2008 R2, does the same thing for server software, including a special focus on new Active Directory capabilities.

But what if both new operating systems are of interest to you? Then I can save you some money and time because I discovered as I researched these classes that there was a lot of new information that applied both to the desktop and the server OSes, and so I've arranged them so that the second day of the desktop class is also the first day of the server class — for example, "booting from virtual disks" is a nice new feature that applies both to desktops and servers, and BranchCache is a useful branch office technology that's of no value without configuring both clients and servers, and so both technologies fit well in the middle of the three days. Thus, you can attend both two-day classes in just three days total, and the per-day cost of attending the third day is 40% cheaper than the first two days. Whether you're interested in the Windows 7 class, the Server 2008 R2 class or both, you can attend them at either of these locations:

Ottawa 22-24 February
Dallas 22-24 March
Charlotte 30 March-1 April

We've got the Windows 7 outline at http://www.minasi.com/win7class/, the Server 2008 R2 outline at http://www.minasi.com/08r2class/, and the schedule of classes and links to register at http://www.minasi.com/pubsems.htm. I hope you can join me for one of these seminars, as there's lots to learn about Win 7 and R2.

And don't forget that I can bring either or both classes to your site and, if you skipped Vista/2008, can add whatever other info you need to get completely up to speed; to find out more, email my assistant Merilyn Foell at Assistant@Minasi.com, or call her at (757) 426-1431 (only between 1-5 Eastern time, weekdays, please).

Tech Section: Killer B's (SMBs, that is) On the Way

This week, we got news of a vulnerability that will, I think, sort of take you back nearly a couple of decades to the Ping of Death. Basically we found out that you can send just one malformed packet to a Vista or Server 2008 system, and that system bluescreens. Relax, though... again, this seems to only attack Vista and Server 2008 and, yeah, I know, it's just me and five other people who are using Vista. (Fortunately for me, though, I'm not using 2008 because I've been waiting for R2 and I moved to Windows 7 a few weeks ago.)

Seriously, though, this points to a serious screwup on Microsoft's part and, if I'm reading the tea leaves right, a downright irresponsible response to it on their part, worsened by an irresponsible hacker who posted information about that screwup and example exploit code without first informing Microsoft. If you're in a hurry, though, the short version is that Vista and 2008 Server systems are at risk, but the vulnerability lies in the file server service, and because very few folks are brave enough to expose file server service-related TCP ports 139 and 445 to the Internet, the fact is that any widespread attack won't get terribly far. Furthermore, a simple Reg hack shuts down SMB 2.0 on any Vista or later system. On to the details...

Last Monday, a ~~security researcher~~ hacker named Laurent Gaffié posted a report on his blog (http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html) revealing that trying to start up an SMB 2.0 session with a malformed packet would bluescreen a Windows system. (SMB 2.0 is the improved, faster version of the familiar old NET USE-related file server software that we've been using in Microsoft networks since 1985.) Gaffié's announcement in this manner was a sleazy thing to do, as the fair way to announce a vulnerability in an OS is to tell the OS vendor and give them the time to release a patch before bragging to the world about your wondrous find. (Imagine if Dan Kaminsky had sold his sure-fire DNS poisoning exploit strategy when he conceived of it in early 2008 instead of first getting all of the DNS vendors on board and only then explaining it at Black Hat last summer. Heck, Kaminsky could have sold the exploit to the highest bidder and become a rich man -- but didn't.) Just to ensure his place in the Dirtbags Hall of Fame, Gaffié even posted a bit of sample exploit code in the blog post. Good work, Laurie; you are a god in the eyes of millions of disaffected wannabe hackers. Enjoy the adulation, pal; how many jerks can say that they launched a true zero-day attack?

Meanwhile, last Monday was, as we all know, Patch Tuesday Eve, and thus far too late for Microsoft to include Gaffié-exploit-relevant patches with the "in-band" ones that Microsoft releases on the second Tuesday of every month. (Could that timing have been on purpose? Naaah.) How'd Microsoft respond? By saying that

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation..."

"Possible" gives the response a disquieting large-company-unaccountability feel, as anyone with a Python interpreter could try out the sample code in the blog post in oh, about one minute, provided they had access to a Vista or Server 2008 system with a naked port 135 or 445. Good heavens, Microsoft, it's time to ring the alarm bells, not say "uh, yeah, we're looking into it!" But, as I see it, Microsoft looked even worse a couple of days later when people trying out the exploit on Windows 7 and Server 2008 R2 RTM systems (that's the great thing about a zero-day exploit: everyone gets to be a "security researcher!") found, to their surprise, that those systems were not vulnerable to the Killer SMB. So read the tea leaves with me and ask, what does that mean?

Well, clearly it means that at least someone at Redmond recognized that SMB 2.0 had a bug, and a serious one, and fixed it in Windows 7/Server 2008 R2... but not in Vista and Server 2008, for some reason. But what was that reason? The best possible spin is that the programmer who found the bug simply never put the "if it's a Vista SMB 2.0 bug, it's a Win 7 SMB 2.0 bug" pieces together and moved the information up the chain. A less friendly spin would note that Microsoft has one of the most iron-clad change command systems around, and that the big players just said, "heck, we can't have another embarrassing Vista story -- let's sweep this one under the rug and hope that Apple never mentions it in the next PC/Mac advertisement." That's an even particularly creepier thought since the Microsoft security bulletin reveals that an attacker exploiting this bug could not only bluescreen a system but in fact could take complete control of that system. I'm sure we'll never know the whole story.

Anyway, what should you do, assuming you have Vista and/or Server 2008 systems in-house? Obviously it's never a great idea to expose TCP ports 139 or 445 to the big scary Internet, so if someone's convinced your mother to turn her Vista firewall off, tell her to turn it back on. On a larger scale, the Microsoft security bulletin reveals a Registry hack to disable SMB 2.0 while leaving the unaffected SMB 1.0 stack running. Apparently adding a new REG_DWORD entry "smb2" to the HKLM\SYSTEM\CurrentControlSet\ Services\Lanmanserver\ Parameters key and setting that entry to 0, then restarting the Server service kills SMB 2.0 while leaving SMB 1.0 intact. (Just delete the entry and restart the Server service to undo it.) Let me clarify that as I write this, there is no Internet-crawling worm based on this exploit... yet. Nevertheless, I'd hasten to disable SMB 2.0 on any of my Vista or 2008 systems before the "killer SMB" worms appear.

And you thought it was going to be a quiet Monday.

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address