Microsoft warns of serious, unpatched Windows 7 flaw

Microsoft warns of serious, unpatched Windows 7 flaw

Summary: A serious security vulnerability in Microsoft's newest operating system could expose users to code execution and denial-of-service attacks.

SHARE:
99

A serious security vulnerability in Microsoft's newest operating system could expose users to code execution and denial-of-service attacks, the company warned in an advisory issued late Tuesday.

The vulnerability, which only affects Windows 7 and Windows Server 2008 R2, was publicly discussed ahead of Microsoft's advisory but the company said there are are no reports of attacks attempting to exploit the flaw.

The flaw was found in the Canonical Display Driver (cdd.dll), which is used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing.

More information from the MSRC blog:follow Ryan Naraine on twitter

Code execution, while possible in theory, would be very difficult due to memory randomization both in kernel memory and via Address Space Layout Randomization (ASLR). Additionally, this vulnerability only affects Windows systems if they have the Aero theme installed; Aero is not switched on by default in Windows Server 2008 R2, nor does 2008 R2 include Aero-capable graphics drivers by default.

In most scenarios, Microsoft believes it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.

The company has activated its security response process and promises a patch once the investigations are complete.

In the meantime, affected Windows 7 or Windows 2008 R2 users should consider disabling the Windows Aero Theme to prevent the issue from being exploited.

To disable Windows Aero by changing the theme, perform the following steps for each user on a system:

  1. Click Start, select the Control Panel, and then click on Appearance and Personalization.
  2. Under the Personalization category, click on Change the Theme.
  3. Scroll to the bottom of the listed themes and select one of the available Basic and High Contrast Themes.

Topics: Microsoft, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

99 comments
Log in or register to join the discussion
  • Loverock Davidson said you have made a mistake and

    Loverock Davidson is never wrong :-)
    Over and Out
    • LOOK EVERY!!! HE MENTIONS ME!!!

      LOOK EVERYONE!!! HE MENTIONS ME!!!<br>I love it when my fans publicly advertise me. This is awesome. Thank you <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy">
      Loverock Davidson
  • RE: Microsoft warns of serious, unpatched Windows 7 flaw

    These unpatched flaws could cost the users many financial problems.

    <A HREF="http://ezinearticles.com/?Where-to-Buy-Best-Acai-Berry-Products-and-Avoid-Inferior-Ones&id=4047557">George P.</a>
    georgealarcon
    • You make that

      @georgealarcon

      sound as if vulnerabilities only exist in Microsoft software.
      The one and only, Cylon Centurion
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @NStalnecker Normally hen vulnerabilities are found in Linux for example, the patch has been applied when it was announced or a day or two after. MS is notorious for taking a very long time. In fact, a study found that MS's response time to fixing critical bugs was, in 2005, on average of 90 days, including security vulnerabilities that were being actively exploited.

        They might not be the only one that has vulnerabilities, but they have far more, and take way longer than all other OS's to correct them. Fact. If you had read that link I posted in another article for you, you might have seen that :P
        garethmcc
      • You're practically right, nowadays. MS have been so slow to fix many of 'em

        [b] [/b]
        AzuMao
      • They are getting better.

        2005 was a long time ago, and before the trustworthy computing initiative.

        Not to mention, you have to write the code that plugs the vulnerability, and then test that code to make sure it will work and won't break something else in the process. Which right now, thanks to arrogance, ignorance, and people's otherwise refusal to move on, they're supporting 4 desktop operating systems (2000, XP, Vista, and 7), and at least 3 server operating systems as well(2003, 2008, 2008R2). Microsoft supports a huge user base, with different hardware and software installations which would require the extensive testing I mentioned above.

        Apple doesn't have that, but you are locked into whatever Lord Jobs commands that you have to use. And Linux doesn't have that either.

        90 days seems a bit more likely now, doesn't it? In a perfect world, vulnerabilities would be patched right away, but until you factor in all of the things needed to make the patch work, you're already looking at needing some time to do so.
        The one and only, Cylon Centurion
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @NStalnecker Linux doesn't have that? You obviously have no idea how the peer-review system works in OSS products. And why does MS have to force people into upgrading to new versions of OS's costing companies millions of dollars by extorting them by not fixing bugs in their own software. And the Trusted Computing Initiative? Started earlier than 2005 by the way. And yet their latest and greatest OS still has major flaws like this. Thats incredibly trusted.

        And don't even start with teh "more people run Windows so they are bigger targets" spiel. An overwhelming majority of Web server OS's run Linux compared to Windows and yet Windows still gets breached a lot more often than Linux servers.

        Sure you have to patch the code and test it doesn't break anything else, but its Windows' monolithic structure that makes it so inter-dependant. A fix in one package on a Linux OS is less likely to break anything else thanks its modularised structure. Not to mention that tha reare vulnerabililities found on a Linux OS are often by a developer in code, and a patch right then and there to fix it.
        garethmcc
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @garethmcc<br><b>a study found that MS's response time to fixing critical bugs was, in 2005, on average of 90 days, including security vulnerabilities that were being actively exploited.</B><br><br>What study are you quoting and what is the contrast in response time to Apple and Linux vendors?<br><br><b> And why does MS have to force people into upgrading to new versions of OS's costing companies millions of dollars by extorting them by not fixing bugs in their own software. </b><br><br>Force who to upgrade? Aren't millions of companies still on XP? Don't people rabidly defend their right to use XP? Don't these same fixes come across Microsoft update for everyone? So how are they being forced? No other OS has the enduring support for as long as XP has had. You can't find a current browser that supports Panther in OS X today. On top of that, many argue how Microsoft needs to change the registry or improve security, etc. And when they do something that addresses the security issue, but allows backwards compatibility by keeping the registry and not forcing companies to start from scratch, you argue that they are leaving people out in the cold by making a new version? Seriously. Try to be consistent with your arguments. Fact is, in my experience, Windows 7 and Windows Vista just don't get hacked unless UAC is completely turned off.<br><br><b>And don't even start with teh "more people run Windows so they are bigger targets" spiel. An overwhelming majority of Web server OS's run Linux compared to Windows and yet Windows still gets breached a lot more often than Linux servers. </b><br><br>I'll call you on this nonsense. Where do you get that Windows is breached a lot me often? What site? What numbers? And are you genuinely comparing Linux to Windows, or Apache to IIS. Either way, here is a link for your edification.<br><br><a href="http://www.zone-h.org/news/id/4686" target="_blank" rel="nofollow">http://www.zone-h.org/news/id/4686</a><br><br>It's not coincidental that the numbers are reflective of market share. If you find more current numbers, let me know. I'm searching as well.
        PlayFair
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @garethmcc<br><br><i>And don't even start with teh "more people run Windows so they are bigger targets" spiel. An overwhelming majority of Web server OS's run Linux compared to Windows and yet Windows still gets breached a lot more often than Linux servers.</i><br><br>Just another Linux spiel. There are so many vulnerabilties in the web-server software that runs on top of Linux that there is no need to hack the OS itself. Web sites get breached on a fairly regular basis. How good is the OS if it can't run secure software on top of it?

        Incidentally, you may want to take a look at this: http://www.ubuntu.com/usn/USN-939-1
        Earthling2
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        And why does MS have to force people into upgrading to new versions of OS's costing companies millions of dollars by extorting them by not fixing bugs in their own software. And the Trusted Computing Initiative? Started earlier than 2005 by the way. And yet their latest and greatest OS still has major flaws like this. Thats incredibly trusted.

        They don't have to force you, but by all accounts XP should have been dead by now, but will be supported for another 4 years. Same with Server 2003. As for the initiative, the program is working if you would stop to notice. (http://news.softpedia.com/news/Microsoft-Offers-a-Complex-Windows-Vista-vs-Windows-XP-Perspective-69927.shtml) Security bulletins are down for Vista/7 from XP.
        But to expect any piece of software not to have vulnerabilities is impossible.
        The one and only, Cylon Centurion
      • @NStalnecker

        [i]They are getting better.
        2005 was a long time ago, and before the trustworthy computing initiative. [/i]

        Not really; for a lot of people, equipment is expected to last [i]at least[/i] 5 years.

        [i]Not to mention, you have to write the code that plugs the vulnerability, and then test that code to make sure it will work and won't break something else in the process.[/i]

        Just like the OSS developers do with Linux OSs and Apple do with OSX. Yep. Another thing they all have in common is that they run on computers with CPUs. So what?

        [i]Which right now, thanks to arrogance, ignorance, and people's otherwise refusal to move on, they're supporting 4 desktop operating systems (2000, XP, Vista, and 7), and at least 3 server operating systems as well(2003, 2008, 2008R2).[/i]

        Um, no.. thanks to Microsoft putting in the original license for those operating systems at point-of-sale saying they'd be supported until a certain date, and that date not having past yet.

        Also, you've only listed Windows NT 5 and Windows NT 6. That's really just 2 (not 7,) OSs, with slightly different combinations of default installed programs and themes.

        [i]Force who to upgrade?[/i]

        Anyone who wants to play some new game they bought on max settings, because Microsoft pay game developers to arbitrarily cripple their games on pre-Vista systems. They even do this themself (see; Halo 2.. runs fine on XP, but MS made it check if it was running on XP and close if so).

        One prime example was Crysis, where they bought out Crytek and had them disable the "Very High" settings if the OS detected contained "Windows XP" in the string, but lied and said it was because they used DirectX 10.. but soon after somebody made a hack disabling the test and voila.. no real technical limitations.. just MS forcing people to upgrade so they can make more money from them.
        AzuMao
      • only by offering one hunderd percent support for older...

        @NStalnecker operating system software can they remove support without problems with people can they stop support for older operating systems. If upgrade to the win7 I loose almost ten thousand dollars worth of software. Would you want to loose that much? The only reason i would loose it is it is only compatible with xp.
        dougogd@...
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @dougogd Care to name any of this 10 grand worth of software? Just one or two would do.
        rtk
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @Playfair According to that link you sent me I can then conclude that because India's GDP is larger than Switzerland that its a much better country to live in. But when I take into account the number of people in India and work out a per capita its a totally different story. Same with those stats. An exploit per machine stat is far more revealing. What if there are 3x the number of Linux OS web servers out there than the WIndows ones? Then Linux is still way more secure.

        And which dummy was it that said "How good can an OS be if it can't run security software?". What on earth are you talking about? You CAN run anti-virus and all that crap on Linux if you want its not necessary. And besides, there are other security methods available on a Linux OS like AppArmor, a built-in, default-on (granted Windows now has this too after years of avoiding it) and many other security mechanisms (such as PROPER user seperation from the system root).

        And why no link from me? Cos everytime I provide one it gets ignored. Such as this one (a little old now but still relevant) which is an unbiased paper put together by someone who uses both proprietary and OSS software and genuinely wanted to put together something to clear up myths. http://www.dwheeler.com/oss_fs_why.html
        garethmcc
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @earthling2 Your link (http://www.ubuntu.com/usn/USN-939-1) shows me a vulnerability that was posted about with a resolution already pushed to end users. SO what are you trying to say? The day that Ubuntu notifies people about it those same people have already had the update downloaded and installed onto their machines.

        And note that the person discovering it (Lo????????c Minier) was actually a developer looking at code and found it so could oush the fix at the same time because he COULD actually look at the code. Not some security company blindly hurling stuff at a black box until something sticks and then publicly telling everyone about it while the company developing it scrambles to try and fix it.
        garethmcc
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @NStalnecker:

        According to your post "thanks to arrogance, ignorance, and people's otherwise refusal to move on...". Yeah right.
        So now we are the arrogant ignorants who chose Windows because it was an "industry-standard" and thought that Microsoft would act wisely and never stop supporting the standard they helped created, just as Sony has not stopped supporting the CDs (even when now they have DVD, Blu Rays and even Blu Rays 2).

        My TV still has RCA plugs in the back even if today we have HDMI. My remote control has AAA batteries, even when we now have Li-Ion rechargables. Even further proof is Sylvania's new LED lightblub which plugs into the old and tried screw plug of incandecents.

        It's been a MS nonsense to force users to move from the tried-and-tested without mayor benefits. Even this article casts a shadow on the never ceasing folklore myth that Windows 7 is tens of times more secure than XP. Bullocks. Windows 7 is even more vulnerable, not because it is ill-designed, but because it is new and unproven, so there's plenty of bugs to be uncovered.

        Next time, don't call us arrogant. Call us wise. Arrogants are people "showing feelings of [b]unwarranted importance out of overbearing pride[/b]". That's the exact definition of Windows 7, and that's the exact definition of MS at this moment. Arrogant.

        As for ignorance. Well that's precisely the road being followed by those going 7's way. Us XPers know where we are at and know what are the shortcomings.
        cosuna
      • Zone-H Statistics Are Self Selecting

        @PlayFair<br>Zone-H statistics are self selecting and therefore not terribly useful. That is, the attackers send in the information to Zone-H. There are a few reasons this is a problem.<br><br>The first reason is that an attacker sends the information in to brag about his success. If the attacker perceives one target as harder than another, then he is more likely to send information about that defacement than one on an easier target.<br><br>It's like this. If you set up a site containing race results that only included the placement in the race of those who submitted reports on the race then you would find an inordinate percentage of people who finished in the top three, and especially first, because those would be the people who submitted reports to the site. Why would someone who finished twenty-third bother to report his finish?<br><br>The second reason this is a problem is that it only includes manually targeted attacks. One of the biggest flaws in IIS in years past was its vulnerability to worms. Worm based defacements are not included in these statistics because they happen automatically, and the people who start them don't even keep track of what sites they have affected individually.<br><br>Basically all self-perpetuating automated attacks are left out of these statistics altogether. That makes them not even close to complete.<br><br>Finally, if you look at the actual attack methods used, you will see that these attacks are almost completely based on poor security practices and not exploitations of server vulnerabilities (whether they are IIS or Apache). So, as a basis for discovering which software has more vulnerabilities, the data is pretty much useless.
        CFWhitman
    • RE: Microsoft warns of serious, unpatched Windows 7 flaw

      @georgealarcon
      It could but it won't because [i]the company said there are are no reports of attacks attempting to exploit the flaw.[/i]
      Loverock Davidson
      • RE: Microsoft warns of serious, unpatched Windows 7 flaw

        @Loverock Davidson Thats like saying I don't wear my seatbelt while I drive and I haven't been killed in an accident yet so everything is ok, you don't need a seatbelt.

        Get real.
        garethmcc