Microsoft confirms new 64-bit Windows 7 vulnerability

Microsoft said on Tuesday that it is investigating a publicly reported vulnerability in the Windows Canonical Display Driver (cdd.dll) affecting 64-bit versions of Windows 7 and Windows Server 2008 R2.

The flaw resides in the Canonical Display Driver, used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing. The issue affects Windows 7 x64, Windows Server 2008 R2 x64, and Windows Server 2008 R2 for Itanium systems.  It is possible that the vulnerability could allow code execution, although successful code execution is unlikely due to memory randomization. If a malicious user were able to exploit the flaw it would "likely cause the affected system to stop responding and restart" according to a Microsoft spokesperson.

The flaw only affects systems running Windows Aero, which is disabled by default on Windows Server 2008 R2. "We’re currently developing a security update for Windows that will address the vulnerability", said Jerry Bryant - Manager of Response Communications at Microsoft. Bryant also advised that Windows 7 users could disable Windows Aero as a workaround to protect against potential threats.

Microsoft has issued a Security Advisory with full information on the vulnerability. According to security researchers Secunica, the flaw was originally discovered in April 2009 on an Irfanview forum. Secunica is rating the issue as "less critical".

Report a problem with article
Previous Story

PC piracy drove us to consoles, says Epic Games

Next Story

Microsoft planning to support VP8 in Internet Explorer 9 - with a catch

61 Comments

Commenting is disabled on this article.

Hopefully MS never copies Apple... They have enough issues already without trying to force people to use only 'approved' hardware. Ironic considering almost all of Apples systems run on Intel..

Why was the forum thread closed when it was posted before it appeared on the front page?

there is no 128 bit edition of windows unless you can point us to a valid link to it, otherwise i don't believe you and the aero display vulnerability is not a big deal as with 64bit editions have xtra defenses that 32bit does not have but even on 32bit aero is always best to keep on for more performance.

soldier1st said,
there is no 128 bit edition of windows unless you can point us to a valid link to it, otherwise i don't believe you and the aero display vulnerability is not a big deal as with 64bit editions have xtra defenses that 32bit does not have but even on 32bit aero is always best to keep on for more performance.

Someone should also point out that there is no Windows 7 Ultimate from the Future 4096-bit edition...

Tim Dawg said,
Yes that's right. The 128-bit thing is a joke. I'm amazed at how many people took that seriously.
It's no laughing matter that people were conned into getting Win 7 64 when there is a 128bit verson was available!!!?! jk

Edited by duneworld, May 20 2010, 1:04pm :

Itanium only? I'm sorry how is that even news? I mean, seriously, next thing you'll start publishing OS/2 related material.

Breach said,
Itanium only? I'm sorry how is that even news? I mean, seriously, next thing you'll start publishing OS/2 related material.
What? Another one? I thought the other guy was joking but now the second person who thinks it's Itanium only? Scary....

Tim Dawg said,
What? Another one? I thought the other guy was joking but now the second person who thinks it's Itanium only? Scary....

Didn't see the x64 in the article...

Tim Dawg said,
What? You're joking right?

Yeah, it seems like it is only "Windows Server 2008 R2 for Itanium systems". Of course, it isn't too clear. And I'm not that knowledgeable.

Edited by LaserWraith, May 20 2010, 9:18pm :

yep, also using Win 7 128bit edition here, i mean come on people, you still use less than 16 exabytes of ram? is that even enough for emails? not even talking about browsing the web or msn conversations...

BanneD said,
yep, also using Win 7 128bit edition here, i mean come on people, you still use less than 16 exabytes of ram? is that even enough for emails? not even talking about browsing the web or msn conversations...

Someone above already said that joke and it was funnier. -1

Truth is that this vunerability is in framework for handling security certificates and responsible person for this "Windows Canonical Display Driver" is current Canonical CEO Mark S., founder of Ubuntu IMO it's very lame atempt to fix Ubuntu's bug #1 WIndows rules

6205 said,
Truth is that this vunerability is in framework for handling security certificates and responsible person for this "Windows Canonical Display Driver" is current Canonical CEO Mark S., founder of Ubuntu IMO it's very lame atempt to fix Ubuntu's bug #1 WIndows rules

I understand all of these words, but the order in which they've been strung together makes no sense to me.

I think there's a lame attempt at a joke in there somewhere.

6205 said,
Truth is that this vunerability is in framework for handling security certificates and responsible person for this "Windows Canonical Display Driver" is current Canonical CEO Mark S., founder of Ubuntu IMO it's very lame atempt to fix Ubuntu's bug #1 WIndows rules
I see what ya did there.

hotdog963al said,
Glad I'm using 32-bit with Aero off off off.

and that makes you free from other vulnerabilities?

oh come on

Edited by webeagle12, May 19 2010, 6:00pm :

hotdog963al said,
Glad I'm using 32-bit with Aero off off off.

Grats! You're using an edition that is more vulnerable overall, and missing out on GPU acceleration to offload CPU usage.

Your technical knowledge should be commended.

Not.

Athernar said,

Grats! You're using an edition that is more vulnerable overall, and missing out on GPU acceleration to offload CPU usage.

Your technical knowledge should be commended.

Not.

Agreed. Aero off is a bad bad bad idea, turn it on on on. Looks better and takes the pressure of the CPU, hence a faster computer.

Billus said,

Agreed. Aero off is a bad bad bad idea, turn it on on on. Looks better and takes the pressure of the CPU, hence a faster computer.

My netbook's Intel 9xx crap-o-chip heavily disagrees.

Billus said,

Agreed. Aero off is a bad bad bad idea, turn it on on on. Looks better and takes the pressure of the CPU, hence a faster computer.

Wait... (i'm not very knowledgeable with this so dont kill me k?) but why does turning off a fancy graphics thing (i.e. Aero) take a greater toll on the CPU than having it on? to me that doesn't make any scene... it's like saying: turning the graphics UP on computer game will make it run smoother and quicker. no?

agreenbhm said,
I'm sure all those folks running Windows Server 2008 R2 Itanium Edition are really scared about getting h4x0red.

with al the itanium servers running aero

agreenbhm said,
I'm sure all those folks running Windows Server 2008 R2 Itanium Edition are really scared about getting h4x0red.

I'm sure both users have things sorted out.

astroX said,
too bad .. I'm already testing Windows 8 Ultimate 'Bob Edition' 128-bit >:]
OMG I remember Bob. Boy that brings back bad memories. LOL

s3n4te said,
And thus ladies and gentlemen, this is why I only use Windows 7 128-bit.

128-bit is a waste of time. That's why I took the plunge and brought a copy of Windows 7 Ultimate from the Future 4096-bit edition.

s3n4te said,
And thus ladies and gentlemen, this is why I only use Windows 7 128-bit.

yeah, i have a copy and it is phenomenal ... the #d rendering is insane ... ya'll should upgrade from XP ... (i ment 7)

ObiWanToby said,
Sounds like it isn't that big of a deal.

Secunica is rating the issue as "less critical"

so not big deal!!!!

If a malicious user were able to exploit the flaw it would "likely cause the affected system to stop responding and restart" according to a Microsoft spokesperson.

With certain 3rd party drivers, Windows can do that all on it's own. Not really an issue.