Windows 7 zero-day reported

Tom Espiner ZDNet UK | September 8, 2009 8:23 AM PDT

Summary

A security researcher said there is a zero-day vulnerability affecting Windows 7 and Vista. The alleged flaw could allow an attack that could cause the "Blue Screen of Death."

Topics

Researcher, Flaw, Blog, Microsoft Windows Vista, Microsoft Windows 7, Microsoft Windows, Microsoft Windows Vista (Longhorn), Blogging, Operating Systems, Software, Internet, malware, bug, security, Windows Vista, Tom Espiner ZDNet UK

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

A security researcher has said there is a zero-day vulnerability affecting Windows 7 and Vista.

The flaw in Windows 7 could allow an attack which would cause a critical system error, or "Blue Screen of Death", according to researcher Laurent Gaffie.

Gaffie wrote in his blog that the flaw lies in a Server Message Block 2 (SMB2) driver.

"SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality," wrote Gaffie in a blog post on Monday.

Gaffie said he had contacted Microsoft. Comments on his blog by other users said that the flaw could lead not only to denial of service, but could also lead to remote code execution.

Computer security publication 'The H' wrote on Tuesday that its German sister publication had tested the proof-of-concept code, and that while the exploit had caused a reboot on Vista, the exploit had not worked on Windows 7.

Metasploit creator HD Moore said in a tweet on Tuesday that an SMB bug appeared to have been introduced into Vista SP1. Coder Josh Goebel said in a blog post that he had added the exploit code to Metasploit.

Microsoft had not responded to a request for comment at the time of writing.

This article was originally posted on ZDNet UK.

Talkback Most Recent of 36 Talkback(s)

Follow via:: RSS; Email Alert

Oh my god, a piece of software has an error!

I think if this can be duplicated (as it seems from the story the 'bug' is inconsistent) the it will be patched. Every software has bugs and few software is more complex than an OS.
JasonJD48
8th Sep 2009
- Reply to
- Flag
RE: Windows zero-day reported

Windows needs to be completely rewritten. These daily exploits are just ridiculous.
gertruded
8th Sep 2009
- Reply to
- Flagged
Daily?

These daily exploits are just ridiculous.

Hmmmm...what was yesterady's? Sunday's? Saturday's?
mgp3
8th Sep 2009
- Reply to
- Flag
Oh my god, an exaggeration on a blog!
AzuMao
9th Sep 2009
- Flag
RE: Windows zero-day reported

is this why I payed $300 for? I need my money back! I was robed by M$. I should have stayed with Linux instead.

Wait a minute. False alarm. My home Computers are all Ubuntu linux base.
znetlol
8th Sep 2009
- Reply to
- Flagged
It's your assertion Linux doesn't have vulnerabilities?

That's a really stupid assertion.
ye
8th Sep 2009
- Reply to
- Flag
You are right

Linux has it's share of vulnerabilities and so does windows, but the difference is that you pay money to get windows, while Linux is free and libre.
JMGM
8th Sep 2009
- Flag
Indeed

And when something like this comes along, the hard-earned money I paid will go towards the salary of the folks that will put out a patch for this 'flaw' by next tuesday. As opposed to me freely posting on Ubuntu forums and waiting for someone to freely care enough to freely code a patch. As always, you get what you pay for.

"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
gnesterenko
8th Sep 2009
- Flag
Of course

That assumes that the fix will be available by the next Tuesday of which I don't believe there is a guarantee.

It also makes an incorrect assertion that it is only hobby coders are fixing the linux Kernel vulnerabilities. Several companies have an interest in the kernel and actually pay their own coders to spend time submitting fixes. True, there may be less predictability of patch delivery (knowing it will be on a Tuesday but not necessarily predictability of which Tuesday).

I have been trying to locate recent studies which compare average time to deliver patches but have not found one that is not slanted to one side or the other to a large extent (ie MS funded or a pro-linux site). If any would have a comparison, that would be beneficial.
Viva la crank dodo
8th Sep 2009
- Flag
Really?

Usually, as soon as I hear about a vulnerability I find a patch in the repositories the same day with Debian.

If I'm not mistaken it has sometimes taken MS month to fix vulnerabilities. Years even...
Tim Patterson
8th Sep 2009
- Flag
Need we?

Refer back to that 8 year old vulnurabiilty of Linux? Well to be fair, I think it only was in effect for 3 or 4 years. Sooo, lets not start getting anecdotal 'evidence'.

"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
gnesterenko
9th Sep 2009
- Flag
Known vulnerabilities

Difference is, Tim Patterson was writing about known vulnerabilities that went unpatched for years in Windows systems...

The vulnerability you describe was fixed same day.
sabroad
10th Sep 2009
- Flag
Nope. If anything, stuff in Linux gets fixed faster than Windows.

Now stop trying to spread FUD.
AzuMao
11th Sep 2009
- Flag
Your point being? nt

Linux has it's share of vulnerabilities and so does windows, but the difference is that you pay money to get windows, while Linux is free and libre.
ye
8th Sep 2009
- Flag
Point being you don't get what you pay for you nowadays.
AzuMao
11th Sep 2009
- Flag