
Windows has a new wormable vulnerability, with no patch - vo2maxer
https://arstechnica.com/information-technology/2020/03/windows-has-a-new-wormable-vulnerability-and-theres-no-patch-in-sight/
======
jra_samba
(Copy of a comment I posted on ars):

Microsoft hasn't contacted us (Samba) so this almost certainly isn't a
protocol level bug (they're _very_ good about being proactive on these), but
an error in their implementation of the SMB3 compression transform.

In other words, a typical buffer overrun in a compression library. Gee, wonder
where I've seen these before.

Currently Samba doesn't implement the SMB3 transform header, an example where
being slow to implement a feature is an advantage for once :-).

So most Linux-based SMB3 servers and NAS boxes (which use Samba) will not be
affected by this (I believe - things may change as more information becomes
available).

~~~
kazinator
Are you saying that Samba would use the same compression library as the
Windows file sharing implementation, and so hit the same flaw?

~~~
jra_samba
No, I'm saying that these kind of bugs in compression libraries are very
common. We'll pick an open source one of course (we don't want to be in the
writing and maintaining compression library business, just like we don't want
to be in the crypto business), but we'd also be vulnerable to bugs in upstream
if the compression library we use has them.

I don't know what compression library Microsoft is using - probably they wrote
their own.

------
okareaman
I'm an old asm/C/C++ programmer (retired) who wanted to learn Rust but didn't
make the effort because of all the stories about how hard it was to deal with
the borrow checker. Then I realized that for a programmer like me that was
used to managing memory in my head, the borrow checker would be a piece of
cake. I wrote my first program in it and it was not hard at all. I get it that
JavaScript/Python etc... programmers who always had a garbage collector might
have trouble.

It was so nice to have the compiler catch several stupid errors for me. If I
were King of the world I would decree that all new public facing software with
real world consequences had to be written in Rust. I'm pretty sure I read that
Microsoft is looking at Rust to mitigate some of these issues.

Edit: added "new" to make it clear I don't mean rewriting everything in Rust.

~~~
jimmaswell
I really wanted to give Rust a chance for the memory management but I just
don't have the motivation to get past the absolutely bizarre syntax, naming
conventions full of weird abbreviations like it's the 80s, and the inscrutable
replacement for the OO everyone is familiar with. Every facet of the language
feels like an exercise in NIH syndrome and it's just too much at once.

~~~
steveklabnik
Almost all of these things come from other languages, some that have existed
for decades. It's probably unfamiliar because you haven't run across them yet,
which is fine!

------
EvanAnderson
Blocking TCP port 445 on servers and clients where file sharing isn't
necessary is a good idea anyway. Windows Firewall and Group Policy are
sufficient to get that rolled out.

Unfortunately, Active Directory Domain Controllers must expose it to function
properly, so hitting those machines with the workaround registry value is a
good idea.

------
upofadown
>Windows users who have SMBv3 exposed on the Internet ...

Is that something that ever happens on purpose?

~~~
T-hawk
No, but that just means the internet isn't the attack surface. If a machine on
an intranet gets compromised by some other means, this is a vector for that
machine to attack anything it can reach with SMB.

------
christophilus
Another buffer overflow bug. I’d love to see a running tally of the cost of
buffer overflows.

~~~
vmchale
> Another buffer overflow bug.

time to shill ATS

~~~
heartbeats
I don't get why ATS isn't more popular. It's a really cool language.

~~~
pjmlp
It is very cool, but the type system is quite complex.

------
ck2
block port 445 inbound, it's more than nothing

~~~
gruez
You’d want to block 445 outbound as well, in case your computer tries to
connect to an external server (eg. social engineering and/or UNC paths)

------
andrewflnr
They just casually mention that Talos pulled their advisory without any
indication of why. Does anyone know? Did MS just ask them to?

------
longcat
This only impacts 1903 and 1909 releases of Windows, so any Windows Server
LTSC 2016 and 2019 aren't affected.

------
keepsmiling
Hi, a patch has ben released CVE-2020-0796.

------
technion
I built an Active Directory template to deploy Microsoft's mitigation:

[https://github.com/technion/DisableSMBCompression](https://github.com/technion/DisableSMBCompression)

------
rfoo
Don't worry, #itsjusttheblue.

------
speedgoose
Perhaps one day unsafe programming languages will be forbidden to use.

~~~
johnr2
> Perhaps one day unsafe programming languages will be forbidden to use.

That would mean ruling out a whole lot of performance-critical software
(including that written in unsafe Rust). Be careful what you wish for.

~~~
speedgoose
I'm quite sure the performance hit will be fine in a few decades.

~~~
fl0wenol
That kind of thinking made sense twenty years ago where you could assume
Moore's law was going to hold into the next decades.

~~~
speedgoose
You don't think we will have budget for a few safety checks?

