Microsoft Confirms Zero-Day Flaws In Windows 7, Windows Server 2008R2
First, we must truly rejoice at this turn of events where Microsoft, once the company that would never admit mistakes or problems until years after their resolution, has again let the world know of a problem pointed out by a security researcher, a few days ago.
Microsoft late on Friday confirmed that an unpatched vulnerability exists in Windows 7, but downplayed the problem, saying most users would be protected from attack by blocking two ports at the firewall.
In a security advisory, Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines.
The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog. According to Gaffie, exploiting the flaw crashes Windows 7 and Server 2008 R2 systems so thoroughly that the only recourse is to manually power off the computers.
At the time, Microsoft only said it was investigating Gaffie’s reports.
The story in Computerworld continues by telling that Friday, Microsoft admitted the flaw and published an advisory concerning the problem. while explaining that the problem, while a nuisance, could not do any harm other than causing results similar to denial of service, because there is no way to insert malicious code.
Some bad news in this is the fact that Microsoft doesn’t seem especially energized to put out a fix for this at top speed, presumably because of the limited problems that could be caused, but perhaps because of difficulty in pulling off the exploit. Still, it might be a good idea to protect those possible sales of Windows Server 2008R2 that haven’t been rung up on the register.
Then on Friday, it took the next step and issued the advisory. “Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable,” Dave Forstrom, a spokesman for Microsoft security group, said in an e-mail. “The company is not aware of attacks to exploit the reported vulnerability at this time.”
Forstrom echoed Gaffie’s comments earlier in the week that while an exploit could incapacitate a PC, the vulnerability could not be used by hackers to install malicious code on a Windows 7 system.
Both SMBv1 and its successor, SMBv2, contain the bug. “Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected,” assured Forstrom.
Attacks could be aimed at any browser, not just Internet Explorer (IE), Microsoft warned. After tricking users into visiting a malicious site or a previously-compromised domain, hackers could feed them specially-crafted URIs (uniform resource identifier), and then crash their PCs with malformed SMB packets.
Microsoft said it may patch the problem, but didn’t spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of Dec. 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall. Doing so, however, would disable browsers as well as a host of critical services, including network file-sharing and IT group policies.
Not exactly what you might call a good solution. This appears to be similar to fixing the old Ford Pinto’s predilection for blowing up when hit from behind by telling the driver to simply stop putting gasoline in the tank. No gas, no possible explosion!
and then -
Gaffie’s vulnerability was the first zero-day reported and confirmed by Microsoft in Windows 7 since the new operating system went on sale Oct. 22.
Oh, but there will be more vulnerabilities, there always are.
§
⌘
⌘
 | Life is pleasant. Death is peaceful. It’s the transition that’s troublesome. |
•
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What Do You Think?
You must be logged in to post a comment.