Microsoft investigating zero-day Windows 7 hole

Microsoft confirmed to Cnet News that it is looking into a report of a vulnerability in Windows 7 and Server 2008 R2 that could be used by a malicious attacker to remotely crash PCs.

The software giant is looking into claims of a "possible denial-of-service vulnerability in Windows Server Message Block (SMB)," a Microsoft spokesperson confirmed. Security researcher Laurent Graffie published proof of concept code in a blog posting proclaiming "This bug is a real proof that SDL #FAIL". Laurent also added "the bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL had ever existed."

The flaw kicks off an endless loop on the Server Message Block (SMB) protocol used for sharing files in Windows. The vulnerability report came a day after Microsoft's patch Tuesday for November. The software company released six patches to fix 15 vulnerabilities across different versions of Windows and Office.

Thanks to Jonathan Yaniv for the news tip

Report a problem with article
Previous Story

Chrome for Mac beta coming early December

Next Story

YouTube to get 1080p support next week

36 Comments

Commenting is disabled on this article.

hotdog963al said,
Oh lawdie! I thought Windows 7 was supposed to be secure!

Every operating system has flaws. Linux updates? Oh they are to fix security issues. Mac updates? Same. So Windows is no different here.

There is no such thing as a 100% secure and internet connected machine. The only machines that are 100% internet secure are the ones not connected to the internet at all.

shinji257 said,
Every operating system has flaws. Linux updates? Oh they are to fix security issues. Mac updates? Same. So Windows is no different here.

There is no such thing as a 100% secure and internet connected machine. The only machines that are 100% internet secure are the ones not connected to the internet at all.


That is totally true. Anything man made has flaws.

Most of the viruses encountered are related to remote access or allowing access to ones pc. No need to worry about this stuff if you don't do any remote desktop or whatnot. Have a firewall also that pops up anything that is trying to make contact with whatever app you are using that you don't trust and your pretty much safe.

This was on the full-disclosure list at 23:00 UTC 10 Nov, 2009. According to the poster:
"November 8th, 2009: MSRC contacted
November 8th, 2009: MSRC acknoledge the vuln
November 11th, 2009: MRSC try to convince me that multi-vendor-ipv6 bug shouldn't appears on a security bulletin.
November 11th, 2009: Win 7 remote kernel smash released"

The POC code is also in the post on full-disclosure email list.

"This bug is a real proof that SDL #FAIL"

if Secure Development Lifecycle is a failure, then why products developped with the SDL methodology have much less flaws than their competitors?
IE = 30 flaws/year , Firefox = 120 flaws/year
SQL Server has about 10 times less flaws than Oracle
and Silverlight has had one flaw in 2 years! nothing compared to Flash player...
and I won't talk about WMP vs QuickTime/Real player, or .net VS JAVA ^^

sure, no matter the facts, SDL must be a failure if a guy on the internet who found a bug with a fuzzing tool says so... XD

link8506 said,
IE = 30 flaws/year , Firefox = 120 flaws/year

There is a big difference between the number of flaws reported by an open source program with full disclosure and the number of flaws reported by a closed source company. Just because the IE team only reports, or patches 30 flaws a year, doesn't mean that is all there is.

kenboldt said,
There is a big difference between the number of flaws reported by an open source program with full disclosure and the number of flaws reported by a closed source company. Just because the IE team only reports, or patches 30 flaws a year, doesn't mean that is all there is.


So you're suggesting that closed source software is more secure by nature?

kenboldt said,
There is a big difference between the number of flaws reported by an open source program with full disclosure and the number of flaws reported by a closed source company. Just because the IE team only reports, or patches 30 flaws a year, doesn't mean that is all there is.

Just because they only found 120 vulnerabilities in an open source project doesn't mean that more don't exist. Open or closed source they both hinge upon flaws being found. Flaws are found in closed source just as easily as open source. Really, they both work the same way. You find the flaws when you run the software. It's really hard to spot things beyond trivial bugs by reading the source.

They keep ranting on and on about "zero-day" bugs. If they are right, shouldn't Windows 7 been killed since the first "zero-day" bug? <<

In my opinion it was not very wise to make this problem public just 3 days after contacting Microsoft by the author. Anyway after reading his blog post he seems to me like a kid, he probably found this bug by chance.

I like how he call MS noobs for not spotting it in 2 years, when the researchers themselves haven't spotted it for 2 years either. Pot. Kettle. Black.

Yeah, I found that interesting too. Sounds like he stumbled across this and immediately wanted to show off... Very childish... I as a user would greatly appreciate these "geniuses" giving Microsoft a chance to patch the bug before they post PoC code on the internet... Stupid...

Laurent also added "the bug is so noob, it should have been spotted 2 years ago by the SDL if the SDL had ever existed."

Are those his exact words? A 13 year old security researcher?

GP007 said,
So, anyone care to give this a try and see if it works?
I tried.
Either it's missing something (I wouldn't be able to tell, I'm not a python person) or it doesn't work on 64bit.

FacialTurd said,
I tried.
Either it's missing something (I wouldn't be able to tell, I'm not a python person) or it doesn't work on 64bit.
Actually, it does work. No BSOD, it just gradually freezes up.

FacialTurd said,
I tried.
Either it's missing something (I wouldn't be able to tell, I'm not a python person) or it doesn't work on 64bit.

It has to work on 64bit. 2008 R2 only comes as x64.

GP007 said,
Ahh, ok, so it's basically just another DDoS of sorts. It should be a simple fix for MS I'd expect.

That'll be why the article said "possible denial-of-service vulnerability" then :P

I doubt MS will make a big deal about this. From the sound of it someone needs to have file-share access to the server to make it crash, and that is all they can do, they can̢۪t hack it. Embarrassing for sure, but sense it is very rare to open that up to the public internet this is not the kind of thing that warrants and out of cycle patch.