Microsoft Provides Guidance on Windows 7 Zero-Day Vulnerability
Wednesday, November 18, 2009; 12:19 AM
Microsoft has acknowledged the Windows 7 zero-day vulnerability reported last week with a Security Advisory. The advisory from Microsoft provides some additional details about the scope and nature of the threat, as well as some steps you can take immediately to protect vulnerable systems.
The Security Advisory explains that this vulnerability cannot be used by an attacker to gain control of a vulnerable system, or to install malicious software. It also notes that, while functional exploit code has been published, there are no reported incidents of this flaw being exploited in the wild at this time.
The identified flaw affects the SMB networking protocol and can be exploited on vulnerable systems to cause a denial-of-service (DoS) condition. The issue is confirmed to exist on Windows 7 and Windows Server 2008 R2 systems--both 32-bit and 64-bit platforms.
The Microsoft Security Advisory notes that standard firewall best practices should mitigate this threat in most instances. The number of ports open through the firewall should be minimized, and the ports used by SMB ought to be blocked at the firewall by default as a function of normal security policy.
Microsoft is developing a security update which will resolve this issue, but the earliest you can expect to see that update is probably Microsoft's Patch Tuesday for December, which isn't until December 8. In the meantime, there are some workarounds or extra steps you can take to safeguard your systems against having this vulnerability exploited.
To protect vulnerable systems on your network from any potential exploit, Microsoft recommends that you block TCP ports 139 and 445 at the firewall. These are the primary ports used by the SMB protocol. Doing so will prevent any exploits from outside of the network, but will also disable the ability to use certain functions and services through the firewall such as Group Policy, Net Logon, Computer Browser and more.
Arguably these functions and services should not be enabled across the firewall anyway. A VPN connection should be required to provide a secure, encrypted tunnel for accessing internal services and resources across the firewall. If you use a VPN connection these functions will not be affected by blocking the ports at the firewall.
While this workaround will prevent some exploits, Microsoft also acknowledges that the flaw can be exploited by an attacker creating a malicious Web page and luring users to click on a link to a shared file. This method can be used to exploit the SMB flaw from any Web browser, not just Microsoft's Internet Explorer.
The only protection against the Web-based exploit remains user education and a healthy dose of common sense. Remind your users not to click on unknown links in e-mails or instant messages ... especially in Windows 7.