Windows 7: Released with known critical bug

The debian project defines a critical bug as “makes unrelated software on the system (or the whole system) break, or causes serious data loss, or introduces a security hole on systems where you install the package.”

FSF Europe reported that “Windows 7, is currently shipping with a potentially serious defect [...] a high-risk vulnerability in the SMB2 protocol. This can be exploited over the network to shut down a computer with a Denial of Service (DoS) attack.” (Full details)

You’d be hard pressed to know this from all the Windows 7 launch ra-ra on the BBC and others. Where was the Public Service part of the broadcast, warning customers about this awful problem?

Please, when picking your software, when choosing your next operating system, select one that is mainly cooperatively-developed and which makes a promise like “we will not hide problems”. debian, fedora and centos all make promises of openness. Check whether your system does and if it does, mention it in the comments here. If it doesn’t – please ask its developers!

This entry was posted in SPI and tagged , , , , , , , , . Bookmark the permalink.

7 Responses to Windows 7: Released with known critical bug

  1. Pingback: MJ Ray (mjray) 's status on Wednesday, 28-Oct-09 07:06:33 UTC - Identi.ca

  2. Alphager says:

    The SMB2-Vulnerability was fixed two weeks ago…

  3. MJ Ray says:

    in Windows 7? Got link? If so, why hasn’t anyone told cert-bund.de yet?

  4. btw says:

    you’re starting to sound like an annoying evangelical.

  5. MJ Ray says:

    starting to? ;-) This isn’t a new thing for me. Three of the cooperative principles are “education, training and information”, “cooperation among cooperatives” and “concern for community”. http://www.ica.coop/coop/principles.html#5 – I’m concerned that the co-op community may sleepwalk into Windows 7, so let’s get some educational information about the alternatives out there.

  6. Simon Waters says:

    I think the confusion is there are so many vulnerabilities in the SMB2 protocol stack that it is hard to keep track of them.

    Microsoft fixed 3 issues in MS09-050 which were critical or important on all relevant platforms.

    But this is a critical SMB vulnerability that wasn’t fixed in MS09-050 as the article linked to explains.

    From a practical perspective it is mostly irrelevant, in that anyone exposing protocols like SMB that are intended for office users, hasn’t got the idea of minimizing the exposed services. Although viruses could exploit some of these to spread within a network once in, most of these are DoS issues.

    Such a large number of vulnerabilities being discovered before release, does suggest that Microsoft coding practices are not exceeding industry standards. The bigger story here is that they aren’t patching quickly when they know of issues, and they aren’t backporting to “supported” operating systems quickly.

  7. Jon says:

    It’s not clear whether this bug is exploitable with a factor-default windows 7 configuration, or whether the user must first turn on file/printer sharing and/or mark a directory as shared. I think that has a bearing on how critical this bug is.

Leave a Reply

Your email address will not be published. Required fields are marked *




* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>