Redmond is investigating reports that a newly discovered flaw in Microsoft's implementation of the Server Message Block 2 (SMB2) protocol, an extension of the conventional server message block protocol, can be exploited to remotely crash and restart computers running Windows Vista or Windows 7 . The attack does not require authentication, but port 445 of the target system must be open, and on Windows it is open by default. Laurent Gaffi�, who discovered the vulnerability, has contacted Microsoft, noting that the only solution he can think of is to turn off the SMB feature and close port 445.

Gaffi� says the vulnerability is a result of how the srv2.sys driver handles client requests when the header of the "Process Id High" field contains an ampersand (this isn't the first time an ampersand has caused trouble for Microsoft): "SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used to identify the SMB dialect that will be used for further communication."

Windows Server 2008 may also be vulnerable, as it uses the same SMB2 driver, but Gaffi� has not tested the flaw against the server operating system. The flaw could also potentially lead to a denial of service attack or remote code execution.

Update

Microsoft has now issued Security Advisory 975497 in regards to the issue. The software giant noted its concern that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk, but that it is not aware of any attacks that try to use the reported vulnerabilities. Redmond says it may provide a security update on Patch Tuesday or an out-of-cycle patch once it is ready.

Microsoft listed two workarounds for the flaw: disable SMB v2 and block TCP ports 139 and 445 at the firewall. The company also gave three mitigating factors,

Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the SMB ports should be blocked from the Internet.

In Windows Vista, if the network profile is set to "Public", the system is not affected by this vulnerability, since unsolicited inbound network packets are blocked by default.

Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.

That's right, despite the initial reports, Microsoft says that only Windows Vista and Windows Server 2008 are affected. This is good news for everyone who has already gotten their hands on the latest versions of Windows and Windows Server, though it should be noted that the Windows 7 RC is indeed affected.