back to article Microsoft won't patch SMB flaw that only an idiot would expose

A Windows SMB vulnerability revealed late last week at DEF CON won't be patched because Microsoft says the service should be firewalled off from the internet anyway. The 20-year-old bug is in at least Windows 2000 to Windows 10. It was discovered by RiskSense bods, who combed Redmond's file server code for flaws similar to the …

  1. Likkie

    Enough said

    "... only and idiot would expose".

    1. a_yank_lurker

      Re: Enough said

      Only an idiot would think the scenario would not happen, guess the prime qualification to work at Slurp is to be an idiot.

      1. Jonathan 27

        Re: Enough said

        You can't protect idiots from themselves no matter how hard you try. If you have an SMBv1 share exposed to the internet they can brute force the password fairly easily even without a flaw. No one should ever have any SMB shares on the Internet.

        The cost effective solution would be to disable SMB sharing on effected versions of Windows, I imagine you wouldn't like Microsoft doing that unilaterally either.

        1. Danny 14

          Re: Enough said

          I thought a recent MS security patch pretty much disabled smbv1 everywhere? I seem to rememeber reading about it after wannacry surfaced.

          Smbv1 is quite old and outdated. Even my linux boxes arent using smbv1.

          Even basic routers would block internet smbv1 access so you have to be pretty daft to start opening the ports up (or just pppoeing your server to the Internet )

        2. sebbb

          Re: Enough said

          "No one should ever have any SMB shares on the Internet."

          Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.

          1. Peter2 Silver badge

            Re: Enough said

            Not really on the internet, but guess what caused the so-damn-fast spread of the wannacry in the NHS... the nationwide private WAN has SMB wide open to and from basically anything. And it is still open now.

            When I was working in NHS IM&T we treated the N3 as an externally facing internet connection so every site had it's own firewall. No doubt you can find single site trusts basically without IT staff that are incompetently setup, but there is really no such entity as "THE NHS", it's a patchwork of hundreds of different trusts all running things in radically different ways.

  2. Bill Stewart

    Please Fix The Headline

    It should be SMBLoris there too. SlowLoris was an analogy, but this is about the SMB1 attack.

  3. Teiwaz

    But...

    Isn't Windows the idiots O.S?

    Downvote if you wish, but you can't deny they've spent the last couple of decades trying to make it as easy as possible to use.

    1. Nate Amsden

      Re: But...

      Till windows 10 ?

      If you can't find it..grind it.

    2. Anonymous Coward
      Anonymous Coward

      Re: But...

      There's nothing wrong with making the OS easy to use, if it's done properly and elegantly.

      Windows became idiotic since Win 8 (Metro! Metro! Metro!) and Win 10 (SatNad and his Insider groupies' data mining project)... it's really the entire Microsoft becoming idiotic, rather than something that's unique to Windows ('new and improved' Skype).

      We have an entire generation of youths who do not know basic DOS commands.

      1. Jonathan 27

        Re: But...

        Who needs DOS commands? DOS is dead, if youths want to learn console commands they need to learn Bash or PowerShell.

        1. JLV

          Re: But...

          Powershell is powerful, true. But its early learning curve is very steep. Steeper than bash and much steeper than dos. Even a lowly dir /o:d requires figuring out what the object's date attribute is called and a pipe to the sort. And the whole command will be much longer too. On the positive side you don't need to parse an text stream to isolate that date for further processing. For advanced usage, ps's more structured object mechanism pays off, most of the time it seems overkill.

          I fear the days of the casual command line user, if there ever was such a beast on Windows, are ending.

    3. aaronj2906_01

      Re: But...

      Nope. Linux is...

      Mint / Mandriva / Ubuntu might use RPMs... and Kerberos-5 emulation... but there is a REASON they have gone no-where over the last 40+ years.

      1. Doctor Syntax Silver badge

        Re: But...

        "there is a REASON they have gone no-where over the last 40+ years."

        Yes, Microsoft's leaning on major PC manufacturers to ship them all with Windows.

        1. Anonymous Coward
          Anonymous Coward

          "Yes, Microsoft's leaning on major PC manufacturers "

          Why did not MS do it in the server space too, and let Linux overcome Windows Server?

          Anyway Linux didn't became a desktop alternative until well into the 2000s - just look at kernel releases, and desktop managers state - a lot was missing, especially on laptops.

          MS business "practices" hurt much more previous competitors, and the lack of applications, which in some area is still an issue, didn't really help - just like the distro fragmentation and companies like Mandrake/Mandriva with the wrong business model.

          Also, PC manufacturer today would sell preinstalled whatever they could to improve PC sales. PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago.

          But keep on believing people don't use desktop Linux just because the evil eye of MS...

          1. nijam Silver badge

            Re: "Yes, Microsoft's leaning on major PC manufacturers "

            > PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago

            PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive. So the "linux doesn't sell" mantra becomes self-fulfilling.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Yes, Microsoft's leaning on major PC manufacturers "

              "PC manufacturers get "all-or-nothing" discount deals which make offering non-Windows alternatives very expensive."

              In practise, impossible. "Nothing" option means not being able to sell any Microsoft product or advertisements on those and that's a lot of money.

              Almost half of the profit for HW-maker on cheap Windows-laptop is from advertisements and 3rd party programs (systematically called "crapware") pre-installed to it.

              Often so you can't remove them without installing whole system from retail Windows-DVD and *puff*, none of the drivers needed aren't there as they exist only in vendor and version spesific image installed in to the machine. So you live with crapware or don't use the machine. Nice.

              So far that on paper similar Dell-laptops, 1 month between buying, couldn't connect to network with each other's rescue disk as -tadaa- network card had changed in between, totally different.

              Of course neither worked with retail-Windows-DVD either. I wasn't surprised.

              1. Anonymous Coward
                Anonymous Coward

                "Almost half of the profit for HW-maker on cheap Windows-laptop"

                Stop buying them. They're just crap. It's funny how all those Linux power users feel the need to buy such a crap.

                True, Linux may be less resource hungry, but do your really buy such a crap??? Why??? Leave them to the Windows users whom they are designed for.

                It's the whole system which is built with cheap components, why risk for any professional work?? You'll save a lot from not buying software, so, make a gift to yourself, buy better hardware... or aren't you paid enough for all those Linux skills to afford a decent PC???

                Never found, anyway, yet a PC for which drivers were not available for the supported operating systems. The fact that two PC bought a month apart may have different components doesn't surprise me. One component may have been EOL'd and replaced by another. And if the components are released after the OS version, there's a good chance they won't be supported by a retail installer unless you add the drivers yourself.

          2. Anonymous Coward
            Anonymous Coward

            Re: "Yes, Microsoft's leaning on major PC manufacturers "

            "PC manufacturer aren't stupid, if Linux would have sold as much as Windows, they would have said MS goodbye a long ago."

            'Would have sold', right. How would anyone know how much they would sell without Microsoft?

            That's a risk no CEO will take. Not now and not for along time.

            Also MS has a policy which defines that either you sell Windows pre-installed (and _only_ Windows) or you are not selling MS-products at all. That's the evil part: illegal abuse of monopoly, very serious threat to HW makers.

            Linux is not sold, basically, as it's a free software: Where's the profit on that?

            Selling hardware is only one part of profit on HW: Selling advertisements on said hardware is often half of the profit and that's impossible if buyer install his own OS.

            Also Intel is practically married with Microsoft and they haven't been able to invent anything really new since late 80s. There's more profits in making same old shit cheaper than earlier and there basically isn't any competition, so no need to invent anything new.

            Monopolies and cartels always means technical stagnation and are illegal for a reason. Obviously being big enough leads the cartel wagging the Congress and not the oter way round.

            1. Anonymous Coward
              Anonymous Coward

              Re: "Yes, Microsoft's leaning on major PC manufacturers "

              You are with your heads stuck firmly in the past. Actually, many vendors sell PCs with Linux preinstalled. For example Dell sells laptops and desktops with Ubuntu preinstalled (it gives you a choice of three LTS). Which actually shows your assertions are just BS - there's no way MS can forbid it today.

              But you all keep on repeating 1990s era "news", before MS was hit by antitrust investigations, just in the attempt to justify almost no one bothers to buy a desktop/laptop with Linux preinstalled, especially since many will order it anyway without the OS and then install the distro of their choice, because not everybody uses Ubuntu. And even if Linux is free, supporting five or six distro would be expensive anyway - especially as long as Linux integralists keep on complaining about proprietary drivers...

              What's wrong with Linux is too many believe it is is a religion, and believe in dogmas without actually checking if they are still true. They were told in the past, and it has to be still true... take your head out of the sand.

          3. Anonymous Coward
            Anonymous Coward

            Re: "Yes, Microsoft's leaning on major PC manufacturers "

            "But keep on believing people don't use desktop Linux just because the evil eye of MS..."

            Not _just_ because of that, Linux has some serious problems by itself, but money always talks and MS has a lot of money and Linux-people don't.

            Anyone who ignores that is just a fan boy.

            Linux kernel is quite a piece but windows-stupidities with ideology "one piece does everything" (like systemd) and UI nightmares like Gnome 3 are serious drawbacks mostly created by invididuals or small groups who are so full of themselves that even obvious stupidities are dismissed by statements like "you are using it wrong", while fully knowing that documentation doesn't say anything about the "right way" of using it.

            Neither are there error messages that make any sense.

            And third brain damage, sabotage from MS-world: Throroughly useless documentation.

            "This button confirms action" and the button has label "OK". Yea, right, I'm convinced.

      2. ManoDano

        Re: But...

        "but there is a REASON they have gone no-where over the last 40+ years."

        Yeah, and that reason is that the Linux Kernel was only created in 1991, which is only 26 years ago.

        1. Danny 14

          Re: But...

          However in this case smbv1 was succeeded by smbv2 which was refined into smbv3.

          You dont use PPTP even though it is easy to setup and works, because it is insecure and has been superceeded. Same can be said for smbv1.

        2. Anonymous Coward
          Anonymous Coward

          "the Linux Kernel was only created in 1991"

          Exactly. But until version 2.6 (2003) it wasn't really usable for anything serious.

          1. ckm5

            Re: "the Linux Kernel was only created in 1991"

            Interesting - I guess all those commercial Linux deployments I did in 1998 must have been a result of time travel....

            1. Anonymous Coward
              Anonymous Coward

              Re: "the Linux Kernel was only created in 1991"

              The fact you did something with Linux in 1998 didn't make it a useful tool for everybody. Believe me, there were people who actually used Windows 2.0.

              Until kernel 2.6 Linux had several shortcomings in many areas - i.e. threading and memory management that hindered its use in large applications. Feel free to tell us what your "commercial deployments" were....

              From kernel 2.6 onward Linux made great leaps.

    4. phuzz Silver badge

      Re: But...

      Isn't OSX generally considered to be the easiest OS to use? Apple's developers are going to be all sad now :(

    5. Jonathan 27

      Re: But...

      Nah, that's Mac OS. You know the one they advertise as being magically immune to viruses.

    6. Anonymous Coward
      Anonymous Coward

      Re: But...

      There's a fresh DoS bug in NFS too:

      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645

  4. bombastic bob Silver badge
    Devil

    the problem is Microshaft's design

    the problem is Microshatf's design. The idea that a networked box would expose services on the intarwebs is in and of itself a MAJOR problem.

    In other words, they should have designed it to ONLY listen on RFC1918 IP addresses, and ONLY listen if you enable networking.

    But NOOooo... they have to bind to 0.0.0.0 (i.e. everything) and THAT is the problem!

    And they do that with other "well known" or "easily discoverable" TCP stuff. Just do a "netstat -an" some time on you Winders box, and see what's listening...

    And if it shows up as the SAME port on everybody ELSE's box, and there's a vulnerability on it, and you connect directly to the intarwebs on a publically visible IP address [including _ANY_ IPv6 address!] then you're exposing your winders box's soft underbelly to the intarwebs.

    "Only an idiot" would have DESIGNED! IT! THIS! WAY!! Right, Micro-shaft??

    [the need to bind to publically visible IP addresses could be a kind of "opt in" setting, and THEN it would be the customer's fault for doing it...]

    1. Anonymous Coward
      Facepalm

      Re: the problem is Microshaft's design

      Yeah who would expose services to the internet, like SMTP, HTTP, DNS, NTP, ...

      1. Kevin Johnston

        Re: the problem is Microshaft's design

        He may be Bombastic but there is a perfectly valid point here. The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running. This may include core network ports but why would HTTP be enabled by default? That should get enabled as part of configuring the HTTP security rather than as soon as the server starts.

        I am not going to claim I know which should or shouldn't be in that minimal set but wide-open is a poor choice for a starting point

        1. Anonymous Coward
          Anonymous Coward

          Re: the problem is Microshaft's design

          Because most administration tools today are used via HTTP? The system anyway asks what kind of network connection is used, and if the local firewall is active, it is assigned to different profiles, which does limit the scope of the ports.

        2. Anonymous Coward
          Anonymous Coward

          Re: the problem is Microshaft's design

          I have no issue with Bobs technical views - far from it - just the anti Microsoft diatribe attached to it.

          All OS's have their place and Ill never slag off one over the other, its all rather childish

          1. bombastic bob Silver badge
            Megaphone

            Re: the problem is Microshaft's design

            "just the anti Microsoft diatribe attached to it."

            no diatribe, just POINTING OUT FACTS that are easily verified.

            1. Danny 14

              Re: the problem is Microshaft's design

              The default state for ports on my server2012r2 is closed. I need a domain firewall policy to allow services. I cant say for standalone servers but i imagine uou need to enable in the firewall.

        3. Roland6 Silver badge

          Re: the problem is Microshaft's design

          >The default state for ports should be disabled with the minimum possible exceptions in order to get the box up and running.

          This was the default setting for secure third-party Windows firewalls such as Comodo and Outpost from the very beginning (ie. before 2005), but then they also blocked inbound and outbound traffic and performed stateful inspection, whereas the Windows firewall was only a simple outbound port blocker.

          Also in the case of Outpost, SMB/NetBios traffic (if you enabled it) was limited by default to IANA defined private networks and specifically the subnet the host was attached to.

          I would assume that this is also the case will all modern security suites...

          >but why would HTTP be enabled by default?

          On a system (not a firewall appliance), I would expect outbound HTTP to be enabled by default, given the extent to which browsers have become as essential to system setup and operation as TelNet and FTP were a few decades back.

      2. oldcoder

        Re: the problem is Microshaft's design

        You left out SMB, RPC, and the slew of the one Windows exposes.

        1. Anonymous Coward
          Anonymous Coward

          "You left out SMB, RPC,"

          Psssst... RPC exists in Linux too... give a look to NFS, for example.

          Moreover, RPC, if done properly, and inside a LAN, is much better than all the HTTP stuff and cruft.

    2. Anonymous Coward
      Anonymous Coward

      Re: the problem is Microshaft's design

      OH FFS BOB,

      Change the record,

      LOTS OF PEOPLE LIKE MICROSOFT

      you may not like it, other bleaters may not like it - but get over it FFS.

      Were you scared by a picture of a dog on a Windows 3.1 PC years ago ??? .... just trying to make sense of it that's all

      1. RyokuMas
        Joke

        Re: the problem is Microshaft's design

        Bob needs to start adding "[INSERT SOMETHING HERE] FAIL!" at the end of his posts...

      2. Anonymous Coward
        Anonymous Coward

        Re: the problem is Microshaft's design

        "LOTS OF PEOPLE LIKE MICROSOFT"

        Err no they don't.

        People like Amazon for a variety of reasons, same with Google whom people often find useful, and Apple have their loyal fans too.

        But Microsoft? After force-feeding people a crash prone, bug ridden, security nightmare of an OS all these years, most people I meet from general public to programmers really do not like Microsoft much at all. The only people I ever met who said anything nice about Microsoft actually worked for Microsoft in some capacity.

        It's not "hating" or anti-Microsoft bias either, Microsoft have genuinely earned their terrible reputation.

      3. nijam Silver badge

        Re: the problem is Microshaft's design

        > LOTS OF PEOPLE LIKE MICROSOFT

        "Like" or "have it foisted on them"? Sales do not equate to popularity.

    3. Warm Braw

      Re: the problem is Microshaft's design

      I think SMB v1 predates the general availability of a TCP/IP stack for Windows and assumed a single LAN environment. That was a perfectly good design decision at the time. The pity is that it was not retired sooner.

      1. Anonymous Coward
        Anonymous Coward

        "I think SMB v1 predates the general availability of a TCP/IP stack for Windows"

        SMB predates Windows, and was designed at IBM, well before TCP/IP became the de-facto standard. It run on IBM LAN protocols and IPX well before TCP/IP, thus there was no way it could have been published directly on the Internet. Only later NetBIOS was made available on top of TCP/IP, and then SMB directly - the issue as usual is "backward compatibility".

    4. ckm5

      Re: the problem is Microshaft's design

      Pretty much every Un*x ever designed does the same thing for most network services, at least until very, very recently.

      It's very unfair to blame MSFT for this - they did, after all, just copy Un*x including the entire TCP stack (from BSD nach)

  5. sqlrob
    Facepalm

    "won't be patched, because Redmond says it only needs a suitable block on connections coming from the Internet."

    Because we all know, boxes on the internal network are never compromised and there's never insider threats.

    1. Adam 52 Silver badge

      That was my thought too. But Microsoft aren't stupid and would have thought of that too, so I wonder if we've misunderstood.

    2. Sil

      If boxes on the internal network are compromised and there are insider threats, a SMB v1 bug is the least of your worries.

      1. Adam 52 Silver badge

        In any organisation bigger than a two person partnership then you've got insider threats and these days you should always treat the internal network as compromised.

        1. Danny 14

          Wannacry for example?

  6. FlamingDeath Silver badge

    Tired of this shit

    I'm done with supporting this shitty OS, everything they do these days makes me facepalm to the point my forehead is red raw and starts to bleed.

    The userbase are idiots and many of them think IT support bods are there to do their job for them because the job they're in, the one that requires them to using a fucking computer as part of their main duties, they can't fucking do!

    I've lost count the number of times I've received support requests where really they are "I dont know how to do my job, can you do it for me" requests

    Windows10 is what has pushed me over the edge, fed up with being dragged along with what ever stupid business decisions Microturd decide to dump out. Like changing the program defaults bypassing domain policy so they can push their new Photos app, which errors because the store is blocked, or where you apply "security" patches, and you end up with new feauters somehow and cortana is more verbose. M$ are so tunnel-visioned as to what Google and Apple are doing, they've lost the fucking plot

  7. stephanh

    sorry, but is this so unreasonable?

    This is about SMBv1, an ancient protocol back from the days that the Internet was a kinder, gentler place. The only reasonable use case today is to put it on a tightly air-gapped network to talk to some legacy machines (say you have some Win95 boxes which must be kept alive to support some custom hardware).

    It's like insisting that the security issues in Telnet get fixed. They *did* get fixed, and the result is called "ssh".

    1. big_D Silver badge

      Re: sorry, but is this so unreasonable?

      Unfortunately not. Most "new" multi-function scanners that save to an SMB share only use SMBv1! That means, that if you have a corporate network with multi-function scanners from the likes of, say Konica Minolta and the staff can scan documents to a share, then the share has to have SMBv1 enabled!

      Obviously the mitigation here is that no corporate network in its right mind would open up SMB ports to the internet... On the other hand, those leased multi function devices often phone home, so they are the weak link. If they have remote access ports open and have an attack weakness, they can be used as a bridgehead into the network.

      Windows XP only uses SMBv1 by default, so any company still using legacy XP machines may also be vulnerable.

      1. Anonymous Coward
        Anonymous Coward

        Re: sorry, but is this so unreasonable?

        1) You now know SMBv1 is a vulnerable protocol - thus you have to harden and monitor its use

        2) You can still allow SMBv1 only directly over TCP, and disable the use of NetBIOS, which will remove a whole layer, unless your devices requires NetBIOS (probably because they use some old and outdated open source implementation of SMB...)

    2. Doctor Syntax Silver badge

      Re: sorry, but is this so unreasonable?

      It's like insisting that the security issues in Telnet get fixed. They *did* get fixed, and the result is called "ssh".

      And domestic routers etc. still get shipped with telnet & no ssh.

      In the real world what gets done is what's convenient, not necessarily what's best.

    3. oldcoder

      Re: sorry, but is this so unreasonable?

      Actually, the telnet security issues were fixed by ktelnet.

      Adding kerberos encryption, and authentication to telnet. It even lets you use the unencrypted telnet for those times you HAVE to connect to old servers...

      1. Danny 14

        Re: sorry, but is this so unreasonable?

        Then dont buy products that have poor protocols baked in them. Or put said products on a vlan with locked down firewalled access if you must use leaky compromised kit.

        1. Anonymous Coward
          Anonymous Coward

          Re: sorry, but is this so unreasonable?

          "Then dont buy products that have poor protocols baked in them. "

          So basically nothing at all?

          Yes, having no computers (including anything 'smart' or 'IoT') or anything attached to them is a safe way, but not very practical.

  8. TrumpSlurp the Troll

    Bottom line

    You can't patch stupid.

  9. gsf333

    Do any of you technical guys know if people are 'safe' (to a decent enough level) when using WD My Book Live & My Clouds with remote access enabled?

    I appreciate this might have nothing to do with this article however always makes me think if I am opening up a can of worms when I select these options.

    1. Anonymous Coward
      Anonymous Coward

      Using WD My Book Live & My Clouds

      The real risk with these sort of devices is if someone can devise an exploit that allows it to be used as a gateway in to your network, allowing an external agent to "snoop about" on your network - i.e., using it as a means to bypass your firewall.

  10. Milton

    "But Microsoft aren't stupid"

    "But Microsoft aren't stupid" ...

    Ok, you say that—and it's a perfectly reasonable statement, which must be true of many people working at MS—but then my thoughts turn to Skype, and most especially, the recent "upgrades" or "improvements" to a product which MS has been laming for years ... and it's therefore clear that there are, indeed, some immensely, nay, *magnificently* stupid people at MS.

    So the question becomes: "Which ones do the coding, and which ones make the decisions?"

  11. Doctor Syntax Silver badge

    It's just as well nobody's invented something like Shodan to scan the net looking for open ports.

  12. oldcoder

    Microsof SHOULD patch SMBv1

    Even exposing SMBv1 on private networks is a vulnerability for the network.

    Refusing to patch it is just unethical, immoral, and should be illegal.

    Now patching by giving the administrators the ability to disable it, yes. Patching it by giving the administrators the ability to restrict it to specified networks, yes.

    Both of those fixes should be present ANYWAY.

    Best of all would be ACTUALLY FIXING THE BUG.

    Anything else... just being stupid.

    AGAIN.

    1. Jonathan 27

      Re: Microsof SHOULD patch SMBv1

      Disabling it has been available for years. Microsoft is even disabling SMB1 server on new Windows 10 installs right now.

      If you put the onus on software companies to patch bugs that affect software in ways it was never designed to be used you'd quickly find software prices would skyrocket to insane levels, it's not economically feasible. And if forced to "fix" this problem I'm totally convinced that Microsoft would just release a patch that disables SMB1. It may not even be possible to fix without modifying the protocol enough that it wouldn't be compatible with the current implementation, and then what point would there be in fixing it to create SMB v1.1, might as well just use SMB 2 or 3.

      1. Doctor Syntax Silver badge

        Re: Microsof SHOULD patch SMBv1

        "If you put the onus on software companies to patch bugs that affect software in ways it was never designed to be used you'd quickly find software prices would skyrocket to insane levels"

        I hope you didn't mean that in the way I read it. Exploits of vulnerabilities are ways the software was never designed to be used.

      2. Danny 14

        Re: Microsof SHOULD patch SMBv1

        They did patch smbv1. Its called smbv2.

  13. patrickstar

    A looot of services have issues similar to this one...

    It's just slightly worse than usual here because the allocations are non-pageable kernel memory, but still.

  14. Anonymous Coward
    Anonymous Coward

    My experience with SMB was that malformed SMB packets could crash the login process, requiring rebooting the server. That was serveral years ago and it might be fixed now, but nobody in their right mind would accept any kind of SMB protocol packets from the internet!!! Every business should have some form of firewall that allows filtering on protocol type.

  15. Alan Brown Silver badge

    doesn't need an Internet connection

    A pwned machine emitting packets on the LAN will have just the same effect and someone _will_ setup a click'n'drool attack script that does it for shits and giggles.

  16. Anonymous Coward
    Anonymous Coward

    All SMB version affected, according to the update on this article

    So according to article update, all windows OS from XP up to Win10 are all affected. Not just SMBv1 but SMBv2 is vulnerable too. M$ won't patch it, it was a feature and many 'tools' from powerful agencies won't work if this is patched. Sorry, no patch since it's not a bug but a feature.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like