An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

And more from the same source (different article):

In December 2007, Microsoft patched the file- and printer-sharing functionality in Windows Vista to fix a medium-severity vulnerability. Unfortunately, the company inadvertently added a critical flaw, a security researcher said on Friday.

In an e-mail interview with SecurityFocus, Laurent Gaffié — the researcher that disclosed a critical flaw in Microsoft’s Server Message Block (SMB) version 2 code earlier this week — said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft.

So, it seems that Microsoft has shipped yet another remotely exploitable security hole in their operating system(s). Hopefully it won’t be wormable to any greater extent, but we’ll find that out real soon.

This helps illustrate the point I tried to make in my last post, that no client machines can be trusted. They are all compromised sooner or later.

Also, if you are trying to be compliant with some policy, your risk ratings just peaked if you are using Vista… in particular if you have mobile workstations being carried in and out of your network. How do you manage that threat? Firewall port 139 and 445 on all clients, thereby loosing the possibility of remote administration and breaking functionality that might be needed by your business systems?

And this is just one hole… I sure hope that you have control over the Acrobat Reader’s and Flash installations on your clients

To use some internet acronyms;

OMG.

WTF.

LOL.

It might be that the commercial is so US that makes it so absurdly funny. At the same time it makes me pity two of the worlds best paid people. Strange feeling

More at The Register.

My feeling is that Microsoft is slipping in a lot of areas right now and alternatives are being examined where there is possibility to do so.

Vista is/was probably a big mistake, and key features are being turned off in a lot of larger environments for the sake of compatibility with older applications.

The problems companies are facing with this operating system is not very far from what they would be facing if switching to an open source solution as many components need to be rewritten in whole.

The world is changing and there are alternatives to resource-hogging and expensive software. You wanna stay in the game? Then get with it.

I think their own advisory from 1999 (!!!) explains the issue pretty well:

Well,

too bad they only protected their customers from this if their domains ended in .com, and that this issue has persisted through eight more years of code (how much new code did they say there were in Vista?). This little function seems to have remained unchanged for almost a decade anyhow…

Now let’s hope that Microsoft are faster than the bad guys… And in the meantime:

• If you have a webfilter, block all adresses containing “wpad.” in them.
• On most Windows operating systems, stopping the service “WinHTTP Web Proxy Auto-Discovery Service” would also do it, but some people have been having problems with this.

In other words, keep an eye on your network the next couple of weeks until MS produces a patch.

Cheers and browse safe!

I was recently visiting a larger company in Sweden that is in the testing stage of a large deployment of Windows Vista. This deployment will be done on a pretty big userbase that has somewhat special security demands and for that reason they are following the SSLF (or SS-LF) baseline presented by Microsoft in the Windows Vista Security Guide. In that same guide you will also find information about a lighter security model called Enterprise Client (EC). The EC-baseline provides a more simple and less intrusive security baseline but it did not fill the requirements for this particular company.

I was quite impressed with the work they had done and how well it seems to have fallen out and decided to read up on these baselines. I mean, more security for Windows systems is not a bad thing and if you can do this easily then it would be great.

The definition of the two baselines in the Windows Vista Security Guide are:

• Enterprise Client (EC). Client computers in this environment are located in a domain that uses Active Directory and only need to communicate with systems running Windows Server 2003. The client computers in this environment include a mixture: some run Windows Vista whereas others run Windows XP….
• Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment. The client computers in this environment run only Windows Vista…”

The whole process of securing the clients are done via Active Directory group policies and the implementation of these can be very much simplified by using pre-made scripts (also included in the security guide).

The main downside for me with this policy (SSLF) is that it might cause a minor conflict with the brand new “Panda For Desktops” (formerly known as ClientShield) but there is an easy remedy for that particular problem. Guess why I was there btw hehe…

Here is a short list of resources for more information:

• Windows Vista Security Guide – The whole guide, including everything.
• Lou Bolanis blog with links related to SSLF – More interesting links.
  
• Technet Security Guidance Center – Security information regarding all MS products.

And as a bonus, the delicious, the enormously useful (as not many run on an SSLF baseline) but also quite CTO friendly:

• Fundamental Computer Investigation Guide for Windows

This should be an prerequisite for all administrators running a +100 user network. Sure would make my life a hell of a lot easier during intrusion investigations

Cheers and drive safe (winter in Sweden now) !