This service is something that's need switched off / blocked / firewalled as soon as a new Windows computer is first switched on.
Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol. On Thursday morning, Redmond emitted the update to Server Message Block 3.1.1 to kill off a critical flaw word of which leaked out inadvertently this week. Designated CVE-2020- …
Agreed. However, it is possible the achieve rudimentary "proxying" if you have a section of your network that you really want to keep away from direct Windows contact.
I look after a testing lab (broadcast based tech) and none of the lab machines are on the domain for isolation reasons...long story...bottom line is, some of the tools they need require admin rights because they suck and/or were built by cretins...my predecessor had problems with viruses before because of the lax permissions, I therefore decided to remove domain access (they don't really need it, email is Office365 now) and direct access to domain resources (i.e. file sharing).
To do this, I have a Linux box that straddles the lab network and the main company LAN. The Linux box has a dual 10gbe NIC and is connected to a 10gbe switch which also has the file server in (also 10gbe), there is also a quad port gigabit switch which I have configured as a LAG on a second gigabit switch on the Lab network.
The Linux box has a volume mounted over iSCSI which is on the Windows File Server and is re-shared via Linux using SAMBA.
Users in the lab still have mounted network drives, but not direct access to the Windows box. Therefore any creepy crawly wormy things can't directly attack the Windows File Server.
It's not perfect, but it cuts out a lot of attack surface and is easy to monitor / switch off if I need complete isolation in the event of one of the technicians doing something stupid.
until this bug, SMB3 was looking pretty secure
Well, that's fine, then.
SMB is an ugly, overcomplicated, poorly-designed, highly stovepiped protocol. (And, yes, I've read the specs. I have the original on paper, in fact.) Rather than adding "features" like compression, Microsoft should be reimplementing the whole thing in a safer language (or with strict standards in place), with good (and enforced) secure-development practices, with static and dynamic analysis, and with unnecessary features disabled by default. Backward compatibility mean many customers can't simply jettison it, so Microsoft needs to fix their mistakes.
This post has been deleted by its author
Assuming 25 critical bugs found per month, for the next three years, means there are 900 critical bugs left to find... this one bug doesn’t matter that much since there are *plenty* left for skilled parties to find and abuse.
I installed the update and, after a restart, the trackpad no longer works on my laptop, it does "gestures" instead of moving the pointer. This is the second time I write this comment as swiping down ⭸ caused it to launch Chrome Help, then Chrome deleted the comment and no longer accepted keyboard input. Doing the same in Firefox, as in, swiping down ⭸ causes a caret browsing warning, claiming I hit F7.
Hm, I was using the computer quite happily until it asked me to "update and restart", which was mere minutes ago .... how can an SMB patch f*up input devices ?