Microsoft to fix first critical hole in Windows 7 on Tuesday

Microsoft confirmed on Wednesday that the company plans to push out a security fix for a critical security hole in Windows 7 next Tuesday.

Microsoft officials posted an advanced security bulletin today that confirms Windows XP will have 6 critical holes patched, Windows Vista 5 critical holes and Windows 7 only one. Microsoft's critical rating is the highest out of all definitions used by the company, described as "a vulnerability whose exploitation could allow the propagation of an Internet worm without user action."

Microsoft will ship a total of 13 updates on Tuesday, eight of them marked as critical. Previously the company released a record of 12 updates in both February 2007 and October 2008. Next Tuesday will set a new record. This is Windows 7's first critical patch and initial information suggests Internet Explorer 8 is at fault. Neowin will be live from the New York launch of Windows 7 on October 22 where Microsoft CEO Steve Ballmer will release Windows 7 to the world.

Report a problem with article
Previous Story

iPhone & iPod touch firmware 3.1.2 released

Next Story

Microsoft Exchange 2010 released to manufacturing

48 Comments

Commenting is disabled on this article.

I've been using Windows 7 since this spring, and the RC since early summer, and I love it. I can't wait to say ciao to Vista at home (which now will randomly not let me put my pc to sleep (tried like 6 different solutions to no avail) but that that is another story).

I've only one complain so far and it is one that has been happening for the last 2-3 months is the ridiculous amount of updates. It's asking me to update definitions literally every two days, it's driving me insane. I'm sure they're doing all of this right now to patch up the holes before the release date, but still, can't they batch it together and send it over every other week? They are nothing significant or critical, so why annoy me non-stop about it? Anyone else here has noticed this?
I used to think XP and Vista were buggers, but this is like a joke; I'll contain my twitching everytime (read daily) it pops in the corner, ignore it a few days so that I may install multiples at one, then the second they are installed, SURPRISE! New definition updates the next morning!

Here's to hoping it won't be the same once the final OS is out.

I wish there would be re-build of RTM will all those updates. It's really a shame, when will be 7 released, there would be already a ton of updates..

6205 said,
I wish there would be re-build of RTM will all those updates. It's really a shame, when will be 7 released, there would be already a ton of updates..


Yes because a ton of updates are any IE8 compatibility view updates (which get pushed to IE8 on Vista, 2008 and XP...), the latest Malicious Removal Tool, Windows Defender updates (both these updates also pushed to older OS's) and this IE8 flaw? Yes, that's a ton of updates...wow..they should gottally recompile the RTM which then they'd need to restest all over again and push release back...sure thing..

I agree. Windows 7 is shaping up to be very good. I have been using the RTM Ultimate for a little while now and the experience is freaking great. It's so fast and stable that I am simply amazed that this is a product from MS. I play lots of games and with SLI my games run fast with no crashes. Good job nvidia for constantly updating their graphics driver and realtek for great hd sound. Man, my laptop is going to be a year and a half old and I was thinking about a new one but now, no way. I don't see the need for a new computer. First time I have ever upgraded my windows OS and my hardware ran better. I like this trend. I feel for the hardware people because if this trend keep up only the ones who need the lastest and greatest will be running out buying new hardware all the time.

Cool, right on MS, keep up the good work.
Sweet that Win 7 only needs 1 patch, after being out for quite a long time now, using a very old browser to boot.
Besides, I love downloading stuff.

I had not been using IE ever since I move to Firefox. Last night I try open IE up and left it alone. Went to bed and I heard an advertising. Came to check the computer, close everything. I still hear the ads. Open my task manager and voila, about 20-40 IE running in the background without it showing on the desktop. Scanned the computer and bam I have 44 virii and trojans in the system. I guess IE is very secure.

Krome said,
I had not been using IE ever since I move to Firefox. Last night I try open IE up and left it alone. Went to bed and I heard an advertising. Came to check the computer, close everything. I still hear the ads. Open my task manager and voila, about 20-40 IE running in the background without it showing on the desktop. Scanned the computer and bam I have 44 virii and trojans in the system. I guess IE is very secure.

Uh, your computer doesn't magically get infected just by leaving IE open. Your machine was already infected by something you did previously.

FrozenEclipse said,
Uh, your computer doesn't magically get infected just by leaving IE open. Your machine was already infected by something you did previously.


exactly.

And I never heard about anyone getting infected by IE on a Vista/7 computer, even without applying security updates for IE. ASLR, DEP, and the sandbox (protected mode) prevents malwares from being installed by exploiting flaws, even if you never apply security updates for IE or its plugins (flash, adobe reader).

The IE sandbox has never been compromised (even at the cansecwest contest, where the rule is to read the hard drive, not to write! if the rule was to setup a malware in the user profile, IE would have won the contest these last 3 years since this is impossible without a flaw in windows kernel).

soldier1st said,
hey ms why don't you fix alot of those bugs in windows 7 like the ones i am experiencing?

Did you report anything? You know that no-detail article comments on neowin don't count right?

soldier1st said,
hey ms why don't you fix alot of those bugs in windows 7 like the ones i am experiencing?

Thanks to your detailed bug report in this thread, and that the Windows Team is paying attention to these threads, MS will jump right to fixing your issues.

That means if you're on Windows, the only way to protect yourself against this critical vulnerability is to use versions 3.5 or 3.0.13 or later of Firefox.


so if IE, Safari and Chrome were affected, FF is the only browser unaffected? give me a f'n break

timster said,
so if IE, Safari and Chrome were affected, FF is the only browser unaffected? give me a f'n break

Mozilla patched the null-prefix exploit in August, as soon as it was discovered. It has taken MS nine weeks to issue a patch.

That means if you're on Windows, the only way to protect yourself against this critical vulnerability is to use versions 3.5 or 3.0.13 or later of Firefox. At least until Microsoft fixes the CryptoAPI, whenever that may be.

toadeater said,
Mozilla patched the null-prefix exploit in August, as soon as it was discovered. It has taken MS nine weeks to issue a patch.


It helps when you can just patch it up and not worry about something other than your app breaking. MS takes so long because it tests things out. Plus they have to not just patch one version of IE, I figure it's a bit different between IE for XP and IE for Vista/7.

toadeater said,
Mozilla patched the null-prefix exploit in August, as soon as it was discovered. It has taken MS nine weeks to issue a patch.


the exploit on firefox was worst than on IE. A single specially crafted certificated could be used to usurp the identity of any https server.
On IE you need to buy a certificate for each server identity you want to usurp, and since verisign and others CA are aware of the null byte flaw, they won't issue new certificates allowing to exploit this flaw.

Anyway, it takes a long time for microsoft to publish this kind of patch because many software rely on the crypto api, thus each change in this kind of system component must be tested several weeks with thousands of third party software. Don't think microsoft doesn't care about security, that's completely wrong. But they care more about compatibility, that's what their biggest customers expect from them. Many big business never update their software because they fear that update may break something.
IE7/8 on vista/7 do a great job at reducing the security risks thanks to it's sandbox, something that firefox still lacks... thus firefox users are more vulnerable to plugins flaws like flash and adobe reader 0day flaws than IE users. Of course, sandbox doesn't help with flaws like this one, but it helps to protect from memory corruption flaws that allow malware installation.
Furthermore, there are less flaws in IE than firefox these last few years, and firefox flaws are sometime fixed years after they have been reported on bugzilla, since mozilla cares about fixing bugs only when someone provides the proof that the bug is exploitable (if you don't believe me, look at a few security bulletins on http://www.mozilla.org/security/announce/ and look the matching entries on bugzilla)

timster said,
I'll stick to Opera 10 for paypal stuff


... which, like Firefox, doesn't use CryptoAPI. According to a Slashdot comment, it uses OpenSSL. Not sure if the exploit does affect Opera despite this though.

link8506 said,
the exploit on firefox was worst than on IE. A single specially crafted certificated could be used to usurp the identity of any https server.
On IE you need to buy a certificate for each server identity you want to usurp, and since verisign and others CA are aware of the null byte flaw, they won't issue new certificates allowing to exploit this flaw.

Anyway, it takes a long time for microsoft to publish this kind of patch because many software rely on the crypto api, thus each change in this kind of system component must be tested several weeks with thousands of third party software. Don't think microsoft doesn't care about security, that's completely wrong. But they care more about compatibility, that's what their biggest customers expect from them. Many big business never update their software because they fear that update may break something.
IE7/8 on vista/7 do a great job at reducing the security risks thanks to it's sandbox, something that firefox still lacks... thus firefox users are more vulnerable to plugins flaws like flash and adobe reader 0day flaws than IE users. Of course, sandbox doesn't help with flaws like this one, but it helps to protect from memory corruption flaws that allow malware installation.
Furthermore, there are less flaws in IE than firefox these last few years, and firefox flaws are sometime fixed years after they have been reported on bugzilla, since mozilla cares about fixing bugs only when someone provides the proof that the bug is exploitable (if you don't believe me, look at a few security bulletins on http://www.mozilla.org/security/announce/ and look the matching entries on bugzilla)


Thanks for the details, I hope more people read what you posted before they jump up and down and beat the "MS is so slow with patches!" drum.

I've turned off Java in my browsers. Not only am I more secure now (the last couple worms my friends and family got were spread through Java), but I've noticed that tabs in IE8 open faster too.

IE8's slower tabs/performance, outside of javascript is often the fault of add-ons like Java screwing it over. That's why the IE8 add-on manager lists the time it takes for add-ons to load so you can see what's slowing things down.

Dude, chill. Windows 7 was released a long time ago, months ago actually. You cannot expect security to all of sudden be smooth as butter, we move on.

TonyLock said,
Before it's even launched! HUH!

You sure are misinformed....

Did you know about something called 7 RTM or OEM 7 availability or Technet 7 availability..

Read just a little bit about RTM and you will know when and how it means that 7 was released 2 months ago...

RTM does not mean launched. TonyLock was right. However, this is nothing unusual, the same thing happened with XP, and I believe Vista as well.

roadwarrior said,
RTM does not mean launched. TonyLock was right. However, this is nothing unusual, the same thing happened with XP, and I believe Vista as well.

Right about what exactly? All he did was state the obvious (I hear he's almost ranked captain now) with an apparent attitude, as if fixing an issue before launch is a bad thing.

Fixing any issue is a good thing, especially when the issues being fixed are done in a timely manner. Can't get much better than before retail release I would imagine.

Windows 7 RTM = Aug 6th 2009 (actual RTM was late July i believe but not available to people til Aug 6th) ... was on Technet this day i believe.

so in other words the FULL VERSION of Windows 7 (legitly) was available to people on Aug 6th 2009 on Technet.

dead.cell said,
Fixing any issue is a good thing, especially when the issues being fixed are done in a timely manner.

Yes, fixing an issue before launch is good.

However, having issues like this before launch is bad. What Tony is trying to say is that if they have issues like this before the hackers have had a good change to start exploiting it, it doesn't bode well for Windows 7 (or v6.1)

Uh, no, the only people who think that fixing issues before a retail launch is bad are those who have ridiculous standards, thinking software (especially as big as Windows) will be completely free of issues. Now, during the time Windows 7 has hit RTM up until now, you can't tell me that finding and fixing 1 critical issue is bad.

Now, it'd be a whole 'nother story if they were dropping patches left and right, especially at this point. All in all, I really feel Tony is just blowing this out of proportion.

dead.cell said,
Uh, no, the only people who think that fixing issues before a retail launch is bad are those who have ridiculous standards, thinking software (especially as big as Windows) will be completely free of issues. Now, during the time Windows 7 has hit RTM up until now, you can't tell me that finding and fixing 1 critical issue is bad.

Now, it'd be a whole 'nother story if they were dropping patches left and right, especially at this point. All in all, I really feel Tony is just blowing this out of proportion.


During this time microsoft issued not 1 but about 30 security and none security patched to OEM companies.

Bunk said,
However, having issues like this before launch is bad.

As opposed to what? Having them after? Realistically software has bugs, that MS fix them in a timely manner is a good thing no matter your view, so the expectation that W7 would be 'perfect' is ludicrous to be frank.

I think what some people don't seem to realize is that from a code point of view Windows 7 was final as the RTM date (2+ months ago). The code doesn't care if the product has "launched" or not, it is there as imperfect now as it was on that date and will need to be maintained. The entire point of doing the RTM is that Microsoft commits that is the version that will ship, no more changes! Anything they need to tweak after that point must be done via a patch.