Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Operating Systems

Windows 7 zero-day reported

Summary: A security researcher said there is a zero-day vulnerability affecting Windows 7 and Vista. The alleged flaw could allow an attack that could cause the "Blue Screen of Death."

Tom Espiner

By |

A security researcher has said there is a zero-day vulnerability affecting Windows 7 and Vista.

The flaw in Windows 7 could allow an attack which would cause a critical system error, or "Blue Screen of Death", according to researcher Laurent Gaffie.

Gaffie wrote in his blog that the flaw lies in a Server Message Block 2 (SMB2) driver.

"SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality," wrote Gaffie in a blog post on Monday.

Gaffie said he had contacted Microsoft. Comments on his blog by other users said that the flaw could lead not only to denial of service, but could also lead to remote code execution.

Computer security publication 'The H' wrote on Tuesday that its German sister publication had tested the proof-of-concept code, and that while the exploit had caused a reboot on Vista, the exploit had not worked on Windows 7.

Metasploit creator HD Moore said in a tweet on Tuesday that an SMB bug appeared to have been introduced into Vista SP1. Coder Josh Goebel said in a blog post that he had added the exploit code to Metasploit.

Microsoft had not responded to a request for comment at the time of writing.

This article was originally posted on ZDNet UK.

Topics: Operating Systems, Browser, Malware, Microsoft, Security, Software, Windows

About

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Google+ Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments
Log in or register to join the discussion

  • Oh my god, a piece of software has an error!

    I think if this can be duplicated (as it seems from the story the 'bug' is inconsistent) the it will be patched. Every software has bugs and few software is more complex than an OS.
    JasonJD48
    Reply Vote

  • RE: Windows zero-day reported

    Windows needs to be completely rewritten. These daily exploits are just ridiculous.
    gertruded
    Reply Vote

    • Daily?

      [i]These daily exploits are just ridiculous.[/i]

      Hmmmm...what was yesterady's? Sunday's? Saturday's?
      mgp3
      Reply Vote

      • Oh my god, an exaggeration on a blog!

        [b]
        [/b]
        AzuMao
        Reply Vote

  • RE: Windows zero-day reported

    is this why I payed $300 for? I need my money back! I was robed by M$. I should have stayed with Linux instead.


    Wait a minute. False alarm. My home Computers are all Ubuntu linux base.
    znetlol
    Reply Vote

    • It's your assertion Linux doesn't have vulnerabilities?

      That's a really stupid assertion.
      ye
      Reply Vote

      • You are right

        Linux has it's share of vulnerabilities and so does windows, but the difference is that you pay money to get windows, while Linux is free and libre.
        JMGM
        Reply Vote

        • Indeed

          And when something like this comes along, the hard-earned money I paid will go towards the salary of the folks that will put out a patch for this 'flaw' by next tuesday. As opposed to me freely posting on Ubuntu forums and waiting for someone to freely care enough to freely code a patch. As always, you get what you pay for.

          "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
          gnesterenko
          Reply Vote

          • Of course

            That assumes that the fix will be available by the next Tuesday of which I don't believe there is a guarantee.

            It also makes an incorrect assertion that it is only hobby coders are fixing the linux Kernel vulnerabilities. Several companies have an interest in the kernel and actually pay their own coders to spend time submitting fixes. True, there may be less predictability of patch delivery (knowing it will be on a Tuesday but not necessarily predictability of which Tuesday).

            I have been trying to locate recent studies which compare average time to deliver patches but have not found one that is not slanted to one side or the other to a large extent (ie MS funded or a pro-linux site). If any would have a comparison, that would be beneficial.
            Viva la crank dodo
            Reply Vote

          • Really?

            Usually, as soon as I hear about a vulnerability I find a patch in the repositories the same day with Debian.

            If I'm not mistaken it has sometimes taken MS month to fix vulnerabilities. Years even...
            Tim Patterson
            Reply Vote

          • Need we?

            Refer back to that 8 year old vulnurabiilty of Linux? Well to be fair, I think it only was in effect for 3 or 4 years. Sooo, lets not start getting anecdotal 'evidence'.

            "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
            gnesterenko
            Reply Vote

          • Known vulnerabilities

            Difference is, Tim Patterson was writing about [i]known[/i] vulnerabilities that went unpatched for years in Windows systems...

            The vulnerability you describe was fixed same day.
            sabroad
            Reply Vote

          • Nope. If anything, stuff in Linux gets fixed faster than Windows.

            Now stop trying to spread FUD.
            AzuMao
            Reply Vote

        • Your point being? nt

          [i]Linux has it's share of vulnerabilities and so does windows, but the difference is that you pay money to get windows, while Linux is free and libre.[/i]
          ye
          Reply Vote

          • Point being you don't get what you pay for you nowadays.

            [b]
            [/b]
            AzuMao
            Reply Vote

      • That's a really stupid interpretation.

        Nobody said Linux is perfect. Just that Windows is
        worse or at best even, and costs hundreds of
        dollars.
        AzuMao
        Reply Vote

        • That one

          is even worse than the first one. Windows is 'worse' or at best 'even'. By what parameters? You've contributed nothing other then an irrelevant POV.

          "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
          gnesterenko
          Reply Vote

          • Nope

            Just pointing out ye's straw man antics.
            AzuMao
            Reply Vote

      • Stupid assertion...

        Oh look...yet another windows vulnerability...totally shocking.
        linuxer
        Reply Vote

        • Faggot

          Last time i checked.. at the Hacker convention last year (i forget what its called), Mac OS X was easier to hack than Windows. You Windows haters need to chill the fk out.
          Hiveon
          Reply Vote
CNET Join | Log In | Privacy | Cookies Close