bit-tech.net

Unpatched Windows flaw sparks concern

Published on 10th September 2009 by Gareth Halfacree

If you're running the Release Candidate of Windows 7 you might want to check your firewall: Microsoft has confirmed an unpatched security flaw.

The news in Windows-land continues to worry, with Microsoft revealing an unpatched vulnerability in Windows which can lead to remote code execution.

As reported over on InfoWorld, Microsoft has confirmed reports that an as-yet unpatched security flaw in the latest version of the SMB (Server Message Blocks) networking subsystem on Windows Vista can lead to remote code execution.

It's not just Vista users who should worry, either: the company has admitted that Windows 7 and Windows Server 2008 suffer from the same flaw, which can be used to either remotely control an affected system or simply crash multiple boxes with ease.

If you were hoping to upgrade to Windows 7 for improved security, don't despair quite yet: tests carried out by nCircle's Tyler Reguly have shown that while the Windows 7 and Windows Server 2008 R2 release candidates are vulnerable, the Release To Manufacturing version - which represents the code which will ship in the final release - are unaffected by the flaw.

Nevertheless, it's a pretty major issue. Coming as it does so soon after another unpatched vulnerability in Microsoft's IIS software started being actively attacked, it's going to be a bad time for Windows sysadmins.

So far Microsoft has not commented on the likelihood of an out-of-cycle patch - released outside its normal monthly Patch Tuesday schedule - for either bug, despite administrators worldwide clamouring for fixes.

Does this make you worry about the safety of your Windows box, or do you have faith that Microsoft will come right in the end? Share your thoughts over in the forums.

8 Comments

Discuss in the forums Reply

SBS 10th September 2009, 14:31

*smugly smiles at the Netlimiter icon*

wuyanxu 10th September 2009, 15:03

Quote:

the Release To Manufacturing version - which represents the code which will ship in the final release - are unaffected by the flaw.

so why worry?

leexgx 10th September 2009, 15:58

basicly it affects anyone that runs IIS going to be haveing fun

GoodBytes 10th September 2009, 17:59

Doesn't routers already block all ports by default.
So it only concern internal attacks under environment that sees IIS. I believe that Microsoft will have a patch until October 22nd which is in over a month away.

Shagbag 10th September 2009, 21:10

Quote:

Originally Posted by

From MS's security advisory:

Quote:

Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.

Response:

We - the purchasing consumers - encourage all software producers to (a) produce quality code in the first instance, and (b) audit that code to make sure these bugs don't get released in the first place. We feel such practice is in everyone's best interests.

Laitainion 13th September 2009, 07:52

Quote:

Originally Posted by Shagbag
Quote:
Originally Posted by
From MS's security advisory:
Quote:
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.

Response:

We - the purchasing consumers - encourage all software producers to (a) produce quality code in the first instance, and (b) audit that code to make sure these bugs don't get released in the first place. We feel such practice is in everyone's best interests.

And while you're at it, I'll have some world peace.

Removing all the bugs from anything as complex as an OS is statistically impossible, no matter how many man hours you throw at it or methods used. This is doubly true for exploits, since the developers have to think of everything a hacker *could* come up with. The hacker only has to think of *one* thing the developer hasn't to have an exploit.

Shagbag 13th September 2009, 10:29

Quote:

Originally Posted by Laitainion
And while you're at it, I'll have some world peace.

Removing all the bugs from anything as complex as an OS is statistically impossible, no matter how many man hours you throw at it or methods used. This is doubly true for exploits, since the developers have to think of everything a hacker *could* come up with. The hacker only has to think of *one* thing the developer hasn't to have an exploit.

I agree that no system is 100% secure (save for one that's not switched on), but that's not at all what I said. I suggest you spend some time exploring the (shoestring budget) OpenBSD project as an example to see why what you've said doesn't hold water. It is well within MS's resources to release clean code. It is, however, another added cost for them which eats into their profitability. From an economics point of view, I understand that. However, it still doesn't excuse them from the fact that many of the 'vulnerabilities' in Windows is due to poor coding which can be fixed. What they said in their advisory was complete hypocrisy. That was my point.

si- 14th September 2009, 08:13

Quote:

Originally Posted by Shagbag
I agree that no system is 100% secure (save for one that's not switched on), but that's not at all what I said. I suggest you spend some time exploring the (shoestring budget) OpenBSD project as an example to see why what you've said doesn't hold water. It is well within MS's resources to release clean code. It is, however, another added cost for them which eats into their profitability. From an economics point of view, I understand that. However, it still doesn't excuse them from the fact that many of the 'vulnerabilities' in Windows is due to poor coding which can be fixed. What they said in their advisory was complete hypocrisy. That was my point.

+1. Whilst MS have certainly improved (IIS has few recent exploits) and the SDL seems a decent approach, you can't feel sorry for them given their past slackness and poor coding (features and quick release always won over security and testing)...the holy trinity applies to building software just as well as it does to building hardware.