Microsoft confirms Windows 7 bug, along with own hypocrisy
Microsoft has confirmed that an unpatched bug in Windows 7 could give hackers the ability to bring machines to a standstill. But the firm has condemned a security researcher for the way he publicized the bug, despite having used similar tactics themselves.
The issue was raised by Laurent Gaffie, who noted that a flaw in the Server Message Block system (a Windows component which handles file and printer sharing in networks) would allow a hacker to cause an infinite loop in the Windows kernel. When triggered, this would leave the machine effectively frozen until rebooted: an annoyance for a home user and a potential massive waste of resources for a corporate network attacked this way.
(This issue is not related to a kernel issue in XP and Vista which, unless fixed by an update in the latest “Patch Tuesday” collection, could allow a hacker to take complete control of the kernel.)
Microsoft has now confirmed that it is investigating the Windows 7 issue but stresses that the bug can’t be used for taking control of a computer or installing software (neither of which was claimed by Gaffie).
In a surprising comment, given that security notices from Microsoft are usually very dry, the firm writes:
Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests.
That may or may not be the case in this situation: Gaffie claims he notified Microsoft of the issue three days before publicizing it. And it’s certainly a fair point that Gaffie should not have gone so far as to publish the full details of how the bug could be exploited before a fix was ready.
But the claims certainly have an air of cheekiness about them. Back in September Microsoft announced a security bug with the IIS Web site system before having a patch ready, potentially tipping off hackers to a vulnerable target. And in May the company patched a bug in the Windows edition of Office before announcing the issue also affected Mac users, despite not having a patch in place.
Related Posts:
