E-Mail:
Get our new Windows 7 eBook (PDF) for $7 with 70+ Tips. Download Now!

Windows Patch Tuesday Leaves 0-Day Flaw on Wednesday

Thursday, November 12th, 2009
by the oracle

Many articles about the last Patch Tuesday were almost puffing about the lack of fixes for Windows 7. It did appear that Windows 7 was doing better than almost any other operating system after release.

It was not to be however, as a story in ComputerWorld reveals the flaw reported in Windows 7 the very next day -

It was a notable accomplishment when Windows 7 was not impacted in any way by the vulnerabilities addressed in the six Security Bulletins released by Microsoft for the November Patch Tuesday. It would be even more impressive if Windows 7 proved invulnerable to the zero-day exploit that hit the next day.

This newly found bug was discovered by Laurent Gaffie and details were posted on the Full Disclosure mailing list. Microsoft is investigating the reported flaw which basically crashes a Windows 7 system when exploited. The issue is in the SMB (Server Message Block) protocol that forms the backbone of Windows file sharing. When triggered, the flaw results in an infinite loop which renders the computer useless.

Tyler Reguly, Lead Security Research Engineer with nCircle, explains “Exploitation of this vulnerability occurs when a user attempts to browse to Windows Share hosted on the malicious server. On Windows 7, the DoS (denial of service) will occur as soon as you type ‘\\<ip>\’ in the search box. “

The vulnerability actually impacts both Windows 7 and Windows Server 2008 R2. There are currently a couple different proof-of-concept exploits circulating, but there are no reported attacks in the wild at this point. Because the flaw only enables an attacker to crash the system, and doesn’t provide any unauthorized remote access that could lead to compromising information or performing other malicious activities, the odds of the exploit being actively used by attackers is fairly slim.

So it seems that it is only an annoyance, with little possibility of permanent damage to any system. Still, it is very strange that after almost 20 years of SMB protocol Microsoft has not made this thing absolutely bulletproof.

It has always been my understanding that user tests occur on large scale OS projects, as well as computerized usage. After getting that many years of shaking out the bugs, there simply should not be any.

I remember being told in a beginning programming class, that if a programmer wanted to make sure that error trapping was working properly on a project, turn a couple of 3 year-old children loose, and see what havoc they can wreak. Perhaps Microsoft never heard that. Certainly the ability of ‘computerized ruggedness checking’ to be employed, makes the appearance of these type of bug very disappointing.

§

microsoft-logoover 20 years of repeated mistakes, and counting…

Opera, the fastest and most secure web browser

Tags
Categories

What Do You Think?

You must be logged in to post a comment.

Posted Recently

Auslogics Defrag Adds Features, Windows 7 Improvements

Microsoft Wokked In China

Perhaps We Need Some Larger Cases

The Using XP Until 2014 Plan Gets A Shot In The Arm

Opera 10.10 Just a Smidgen Away

Why Microsoft Should Underwrite nVidia

New PC Maker, Origin, Debuts Desktop and Mobile Computers

Republicans Show True Colors Again!

They Really Never Tire Of Things Like This

Is Microsoft Willing to Cede Netbooks to Chrome OS?

PlayStation 3s Helping the U.S. Government

Chrome OS Revealed, But Hibernating for Winter

As Microsoft Moves to MinWin, Servers Gain, Desktops May Lose

Windows 7 Was Consulted on By The NSA, Why Did They Not Simply “Borrow” From SELinux?

Internet Explorer 9 Announced – Should It Get Another Thought?

Spinning Disk Drives – Not Ready for the Pasture Yet

AMD (ATi) HD 5970 The New Undisputed Champion

Diskeeper Launches Diskeeper 2010 With Revolutionary New Feature

Twitter Adds Stalking Feature‽

Good News for Builders – Memory Pricing Will Go Down

GT240, Not A Car, Apparently the nVidia Model We’ll Be Seeing Everywhere

New Zealand Joins The U.S., E.U., and Japan

Sarah Palin – Could She Be The Second Internet President?

Cray Returns to Top Dog Status

AOL Set to Go It Alone

Software Copyrights and EULAs – Not In the Public Interest

Something In The Air…Smells Like…Stupidity!

DRAM Landscape Has Changed Quickly

Graphics Cards Coming On Strong

Good Things Come to Those Who Wait

Microsoft Muddies the Licensing Waters Again

In the War Of Cops & Pirates, The Pirates Have Just Pulled Off Another Victory

“Honesty Is The Best Policy” Still the Rule For Some!

Google Wants to Make the Internet More SP(ee)DY

Microsoft Confirms Zero-Day Flaws In Windows 7, Windows Server 2008R2

Apple Wins In Court, Psystar Left Twisting in the Wind

Trillian Astra Gets Better, Goes to 4.1 Beta, Fewer Nits to Pick

Microsoft Releases Windows 7 Themes from Corporate Entities

Opera Releases 10.10 RC, Almost Ready to Unite

MPAA Joins IRS As An Entity Above the Law

49 queries / 0.899 seconds.