Security

A flaw in Vista's networking has been found that can crash the system, but no fix is expected until the next service pack

A flaw has been found in Windows Vista that could allow rootkits to be hidden or denial-of-service attacks to be executed on computers using the operating system.

The vulnerability was found by Thomas Unterleitner of Austrian security company Phion and was announced Friday. Unterleitner told ZDNet UK on Friday that Phion told Microsoft about the flaw in October but that he understood a fix would only be issued in the next Vista service pack.

According to Unterleitner's disclosure of the flaw, the issue lies in the network input/output subsystem of Vista. Certain requests sent to the iphlpapi.dll API can cause a buffer overflow that corrupts the Vista kernel memory, resulting in a blue-screen-of-death crash.

"This buffer overflow could (also) be exploited to inject code, hence compromising client security," Unterleitner said.

Unterleitner told ZDNet UK via e-mail that the "exploit can be used to turn off the computer using a (denial-of-service) attack." He also suggested that, because the exploit occurs in the Netio.sys component of Vista, it may make it possible to hide rootkits.

Using a sample program, Unterleitner and his colleagues ascertained that Vista Enterprise and Vista Ultimate were definitely affected by the flaw, with other versions of Microsoft's operating system "very likely" to be affected as well. Both 32-bit and 64-bit versions are vulnerable. Windows XP is not affected.

Asked about the severity of the flaw, Unterleitner pointed out that administrative rights were needed to execute a program calling the function that would cause the buffer overflow. However, he also said it was possible--but not yet confirmed--that someone could use a malformed DHCP packet to "take advantage of the exploit without administrative rights."

"We have worked together with Microsoft Security Response Center in Redmond since October 2008 to locate, classify and fix this bug," Unterleitner wrote. "Microsoft will ship a fix for this exploit with the next Vista service pack."

Microsoft told ZDNet UK on Friday that it had investigated the issue, but was "currently unaware of any attacks trying to use the vulnerability or of customer impact." It could not, however, confirm the inclusion of a fix for the problem in the next as-yet-unreleased service pack for Vista, nor give the release date for that service pack.

David Meyer of ZDNet UK reported from London.

Microsoft will issue a patch for a "critical" security flaw in Windows, the company said Thursday. The patch comes outside of its normal monthly patching cycle due to the severity of the issue.

The vulnerability can result in a remote code execution, in which malicious attackers could take control of a user's computer to launch code.

According to Microsoft's bulletin, the vulnerability is found in Windows 2000 with Service Pack 4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

Microsoft will hold a Webcast at 1 p.m. PDT to address the issue.

Issuing patches outside of its monthly cycle is rare for Microsoft. The last time it happened was April 2007, according to a Microsoft representative.

Apple on Friday issued an update for iTunes 8 that specifically addresses problems experienced by Windows Vista users, and issued general recommendations for Windows XP and Vista users experiencing sync issues with iPhone and iPod touch devices.

Since its release earlier in the week, iTunes 8 has bedeviled some Windows Vista users with the so-called blue screen of death, or BSOD, and other issues. Speculation has focused on an incompatibility with USB devices, such as Webcams and printers.

In a support post, Apple recommends that Windows Vista users experiencing difficulty should uninstall iTunes 8 and, after rebooting the computer, reinstall the updated application. (You can download the updated iTunes 8 for Windows from CNET's Download.com.)

Also on Friday, Apple posted recommendations regarding problems experienced by Windows XP and Windows Vista users when syncing the iPhone or iPod Touch devices containing saved photos. Apple says that "while any driver software could be a factor, updating the software drivers for Logitech QuickCam/Webcam products, Lexmark scanners, and some built-in media card reader drivers on the computer may solve this issue in a majority of cases."

Not everyone is rocking to the new iTunes 8 released Tuesday. An informal poll on ZDNet suggests that a problem with the latest edition of the Apple media player is affecting some, but not all, users of the software on Microsoft's Windows Vista. (You can download iTunes 8 for Windows from CNET Download.com.)

Users on an Apple forum reported seeing the so-called blue screen of death (BSOD) on their desktops running Windows Vista with iTunes 8 installed. The BSOD problem occurs shortly after connecting their iPods and iPhones.

A second, more subtle effect is that their CD/DVD drives "disappear."

ZDNet's Ed Bott offers a look at the upgrades or changes in iTunes 8.

Removing other USB devices, such as Webcams and printers, appears to resolve the problem, for the moment. Users on the forum speculate that there is an incompatibility between Apple and USB products from LogicTech and HP, as well as disc-burning software from Roxio.

We will update this post with further details, as they unfold.