Press

Windows 7 to hit consumers with known security problem

on:

FSFE: Microsoft's neglect highlights value of Free Software

Microsoft's latest operating system, Windows 7, is currently shipping with a potentially serious defect. Ahead of the product's global launch on Thursday, Germany's federal IT security agency (BSI) has issued a warning [1] about a high-risk vulnerability in the SMB2 protocol. This can be exploited over the network to shut down a computer with a Denial of Service (DoS) attack.

This incident illustrates how proprietary software often poses a security risk. "Only Microsoft can fix the problem. But they have apparently closed their eyes to this vulnerability for a long time, hoping that it wouldn't spoil the retail launch of Windows 7 this Thursday," says Karsten Gerloff, President of the Free Software Foundation Europe (FSFE).

Following responsible disclosure practices, the BSI has not published details in its announcement (English translation below) from October 6. While it is generally a good strategy to give vendors time to repair vulnerabilities before announcing them publicly, in this case the BSI should consider publishing the full details of the problem to put more pressure on Microsoft. The agency says that the security hole affects Windows 7 and Windows Vista in both their 32-bit and 64-bit versions, as well as Windows Server 2008. This vulnerability is different from an earlier SMB2 issue [2] for which Microsoft published the patch MS09-050 in September.

FSFE's Gerloff explains: "Microsoft's software locks its users in, so they have to stay even if the company knowingly exposes them to a security risk like this. With Free Software like GNU/Linux - software that you can study, share and improve - several independent entities can fix the problem. Consumers should not support Microsoft's negligent behaviour by buying its products. Free Software offers an alternative, and is available from many independent vendors."

Microsoft has not yet responded to the BSI's warning. There is no indication that the company will manage to fix the gaping hole in its flagship operating system before the global launch of Windows 7 this Thursday. The vulnerability remains open even after Microsoft's October patch day.

The company's security practices have long been a cause for concern. In just one recent incident [3], Microsoft knew about another vulnerability in SMB2 since July 2009. While it did fix the problem in the final version of Windows 7 in early August, it did nothing to repair the same problem in Windows Vista or Windows Server 2008 until an independent security researcher went public about the issue. German IT news site Heise speculates that the issue ended up on a Microsoft-internal list of low-priority bugs which the company tries to fix silently, in order to avoid negative publicity.

[1] Germany's federal IT security agency (BSI) has issued a warning
[2] Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution
[3] Microsoft has known of the SMB2 hole for some time


Translation of the BSI's security advisory:

Threat level: "4 high risk" (out of 1-5, with 5 being "very high").
Title: Microsoft Windows SMB2-Protocol: Another vulnerability allows denial of service (Windows Vista and Windows 7 vulnerable).
Date: 2009-10-06
Software: Microsoft Windows 7, Microsoft Windows 7 x64 Edition, Microsoft Windows Vista / SP1 / SP2, Microsoft Windows Vista x64 Edition / SP1 / SP2, Microsoft Windows Server 2008
Platform: Windows
Effect: Denial-of-Service
Remoteexploitable: Yes
Risk: high
Reference: internal research
Description:

Server Message Block (SMB) is a protocol which enables shared access to printers and files. SMB2 is a new version of this protocol, which was introduced with Windows Vista and Windows Server 2008, and which is also available on Windows 7. Current implementations of SMB2 are affected by this vulnerability. This is a new vulnerability, not the one described in Microsoft Security Advisory 975497. The listed operating systems can therefore still be successfully attacked even after installation of the updates of Microsoft's October patchday (MS09-050).

Currently there is no update or patch available from the vendor. The only recommended actions are to be aware of and track the vulnerability. As a workaround it can only be recommended to limit access to SMB2 servers to trusted systems by firewalls, or to disable the SMB2 service.