Last Wednesday, researcher Laurent Gaffié published on his blog information about a bug in the Server Message Block (SMB) that can be exploited to perform denial-of-service (DoS) attacks. The SMB protocol is generally used for sharing files, printers and serial ports on a network. The vulnerability is said to affect both Windows 7 and Server 2008 Release 2. Gaffié criticized the Security Development Lifecycle (SDL) several times for not proving to be successful:
The bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL had ever existed…
Microsoft has confirmed yesterday in a security advisory that it’s investigating into the issue and will take action once investigations are complete:
Microsoft is investigating new public reports of a possible denial of service vulnerability in the Server Message Block (SMB) protocol. This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
What precautions should users take in the meantime? There isn’t much to be done as there aren’t any security patches yet. However, the same old advice applies here: avoid visiting bogus sites and malicious links. We should expect to receive security fixes for this either along with the monthly security bulletins or through an out-of-cycle security update.
It’s also worth noting that, if a security hole is identified, information about it should be given to the software vendor, rather than the public:
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests.
On a side note, I’ve seen many people quote in comments and on YouTube videos the well-known bold statement: “Most secure OS ever” whenever a Windows security breach is detected. Even though the claim might be true to some extent, I think Microsoft should’ve never said that during the Windows Vista days.