Microsoft releases an advisory to help users concerned about a new zero-day vulnerability affecting Windows 7 and Windows Server 2008 R2. The bug was made public last week after Patch Tuesday.
a security advisory
to help users mitigate a bug affecting Windows 7 and
Windows Server 2008 Release 2.
The security vulnerability
by researcher Laurent Gaffie and can be exploited to remotely
trigger a denial-of-service condition in Windows 7 and Windows Server 2008
R2. Gaffie posted proof-of-concept
to the Full Disclosure mailing list and his personal blog last week.
The bug he uncovered lies
within the Server Message Block (SMB) protocol and affects SMB versions 1 and
2, the advisory states. SMB is the file-sharing protocol used by default on
According to Microsoft,
users can block
ports 139 and 445 at the firewall
to defend themselves against exploits. Instructions on how to do that are
contained within the advisory. Several Windows services use the affected
ports, so blocking connectivity to the ports may cause various
applications or services to stop functioning, Microsoft warned.
"Microsoft is aware of
public, detailed exploit code that would cause a system to stop functioning or
become unreliable," Dave Forstrom, group manager of public relations for
Microsoft Trustworthy Computing, said in a statement. "If exploited, this
DoS vulnerability would not allow an attacker to take control of, or install
malware on, the customer's system but could cause the affected system to stop
responding until manually restarted. It is important to note that the
default firewall settings on Windows 7 will help block attempts to exploit this
According to the advisory,
the issue can be exploited through Web transactions regardless of browser type.
"In a Web-based attack
scenario, an attacker would have to host a Web page that contains a specially
URI," the advisory states. "A user that browsed to that Web
site will force an SMB connection to an SMB server controlled by the attacker,
which would then send a malicious response back to the user. This response
would cause the user's system to stop responding until manually restarted.
"In addition, compromised
Web sites and Web sites that accept or host user-provided content could contain
specially crafted content that could exploit this vulnerability," the advisory
continues." An attacker would have no way to force users to visit a specially
crafted Web site. Instead, an attacker would have to convince them to visit the
Web site, typically by getting them to click a link in an e-mail message or
Instant Messenger message that takes them to the attacker's site."
Microsoft noted that the vulnerability is unrelated to MS09-050
which addressed three security issues affecting SMB Version 2.