Microsoft: Windows 7 not affected by latest flaw

Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports.

"Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation," Microsoft said in the advisory. "We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

The flaw could allow an attacker to gain control of a system, although Microsoft said that "most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

The software maker said it is working with security software partners to provide information that can be used to create protections. Once its investigation is wrapped up, Microsoft said it will take action, which could include releasing a patch during its next monthly cycle or doing an "out-of-band" release, if necessary. Tuesday was Microsoft's monthly release for patches, which included five critical Windows updates addressing eight vulnerabilities.

The software maker said the latest issue affects the "release candidate" version of Windows 7, but not the final version that was completed in July. Also, the recently completed Windows Server 2008 R2 is not vulnerable, Microsoft said, nor are the earlier Windows XP and Windows 2000 operating systems.

Microsoft is already dealing with a separate, still unpatched flaw reported last week. Attacks have already been seen based on that vulnerability. Microsoft has taken issue with the fact that that flaw, like the latest one, was reported publicly as opposed to being privately disclosed to Microsoft, giving the company time to patch it.

[EvanSei]

yet another example of how dreadfull vista is and how great windows7 is.

[EvanSei]

yes I know it effects the rc but it is not a finished product so it is expected I am talking about the final version

[Random_Walk]

Great? More like "lucky"...

Good to see they dodged the bullet with their latest build.

[cosuna]

All children inherit somethings from their parents, but add new strengths and weaknesses not found on them.

By the way: Most people focus on "how good is 7" and "how bad is Vista", but none seem to realize that the transition from one "operating realm" to another, that is "paradigm shift" from one way of working to a different one hardly ever is taken by virtue only.

As Thomas Samuel Kuhn stated on "The Structure of Scientific Revolutions" paradigms are "incommensurable" that is you can't measure one using the ideas of the other.

As much as Microsoft people have tried to convince us that Windows Vista is Windows at its root and that Windows 7 is the "ultimate perfection" (as can be interpreted by the choice of numbering), in reality Windows 6.0 (Vista) is a badly conceived hybrid between Windows 5.x (2000/XP) and a future fully managed code Windows (probably the REAL Windows 7.0).

As such Windows 6.1 (Windows 7) is just a correction and extension on this hybrid metaphor, but still incomplete and faulted. Although it behaves far better than the initial hybrid, this correction in no way will be the only measure of its success.

If technological merit was the only factor used to judge and adopt OS realms, NextStep would have overtaken Windows 3.1 and Macintosh; BeOS would have superceded MacOS 8 and 9; and OS/2 would have replaced DOS long ago. Even far back, the more technologically sound VAXstation (and compatible) would have overtaken the IBM PC. But in the end, neither NextStep nor BeOS were compatible with neither of the installed bases (Windows or Macintosh), OS/2 was compatible but required excessive resources and offered no real gain (in the same conundrum as Vista), and the VAXstation, although highly compatible and well executed, offered no real advantage for customers using VAX minis (just like the Windows 7 vs. Windows XP dilema)

So one must factor other issues in order to better predict Windows 7 future. Sadly, only time will tell.

If this was TLDR, sorry, had to make my point clear.

[Mark_Anderson]

Gee Random, why don't you explain to us why it's 'lucky' instead of posting your usual ill informed drivel.

Oh wait - that's right: you don't actually know what you;re talking about, do you?

[Mr. Dee]

Well, considering Windows 7 Beta and RC are from January and May respectively, which are pre-release software, I don't think anyone should be losing sleep over this. The RTM build is not affected which is what matters most.

Ina, the link to bulletin says that the page cannot be found.

[cbscowards]

Ahh... Cnet's daily troll article.

Folks, please remember that you lose all credibility in your post if you include the words Winblows, Windoze, Micro$oft. Or CRAPple, Snow Kittie, etc. Or if you speak of Ballmer or Jobs as if they are personally responsible for all of the failing or triumphs of their respective companies.

[terminalblue]

Trolling the trolls? Fried is one of cnet's few reputable journalist and you turned it into some trite debate about how much you hate apple and they arent even mentioned in the article.

[cbscowards]

@terminalblue:

Did you even read what I wrote? I was hoping to ward off the trolls by point out how the ridiculous words they use shows them to be mindless fanboys. It looks like it worked, the usual inane W7 vs SL is lower than usual.

[MeepMan]

I call it Winblows until Windows 7 is officially released, because, until then, Vista is their official mascot. Sorry if that was not clear before. I am writing this comment on a Windows XP machine. I do not support Winblows (poor versions of windows), as well as poorly designed Microsoft products including but not limited to Winblows Vista (including service pack 1), Winblows Millennium and 98, Internet Explorer 6 and 8 (but not 7 with updates), and Winblows Media player (even the current Real non-beta is better...) Once 7 is released and IE8 gets a speed boost on all pages (not the stupid accelerators) without any sacrifices.

Please note that I call Windows XP by its correct title because it is and was a success.

[contentcreator--2008]

All in favor of a mandatory 45 day notification to the software vendor say Aye! Else, a hefty fine to the impatient "researcher". These guys put everyone else at risk in their personal pursuit the "glory" of being the "first reporter." Or, a nice class action suit from all people infected by an attack created after the premature release of a vulnerability. These fire drills are tiresome.

[Vegaman_Dan]

Unless it had the force of law behind it, we'd never see this happen.

Instead, how about a reward system? People find vulnerabilities, clearly point them out to an OEM and they get a financial reward if it is found to be valid? It could go through a single third party agency that would be paid by all the major OS OEM's to stay impartial.

Naaaaaah, that too would be doomed to failure as it makes too much sense.

[Imalittleteapot]

Why 45 days? Why not 30 or 60?

The general idea I agree with though. All software has bugs. I at least like a notice and a chance to make it right for my customers before some script kiddie gets a chance to hack the world like he's really something special. But then again, I don't develop for customers anymore. However, the point is I agree with the idea.

I wouldn't even mind it becoming law. The only problem with legislation though is they always screw up the law and it never does what it was intended to do. They'll probably use it as another chance to go after pirates instead of what it would really be intended for. So, it's probably safer to not do that.

What we can do though is respect the real researches that do and not respect the "hackers/crackers" that don't. However, I don't think there is a problem letting the public know there is an exploit. Just don't tell the public how to do the exploit until after the software company has been notified.

[eadeguzman]

Hackers who release the information to the public at the same time as the software vendor, are still much better than those hackers who release a virus to the public silently :-)...

Don't blame the hacker... blame the vendor who failed to detect the vulnerability before the hacker does in the first place. "Don't shoot the messenger."

I know that they are being somewhat reckless when they do this. But it's not really their job to inform the software vendor about the exploit.

Besides, sometimes, it takes an egg in the face for a company as big as Microsoft to act.

Tell the exploit silently to the company? What's the fun in that? Many of these hackers do this, not really for the money, but for glory and pride.

So I'm not so sure if a financial incentive will help. It might even get worse because there might be a lot of wannabe hackers out there who will motivated by money to find exploits and Microsoft would spend a lot of time reviewing those submissions and the hassles of explaining to most of the exploit they found are already patched, for example.

[ikramerica--2008]

I think that cnet contributes to the glorification of these people, by putting their pictures up, showcasing their "exploits" etc. This encourages them to go public with the information before telling the OEM, or too soon after for the OEM to have time to fix it, just for glory. And cnet plays into it because it makes news.

Though nobody is dying, they are the modern day bonnie and clydes and billy the kids of our day. Back then, the press was in love with their exploits too.

[eadeguzman]

Very good point ikramerica--2008, it's CNET and other news agencies may actually have this responsibility...

But then, again, they're still just a messenger. And you would be entering the sticky first amendment debate when you go there (well, we were already there when contentcreator suggested a *mandatory* notification).

Also, withholding information can be tricky and maybe as dangerous as well. What if the exploit notification was ignored? And what if this exploit is already well know "under ground" (so to speak)?

[Random_Walk]

Agreed with eadeguzman - shooting the messenger is stupid. Laws shooting the messenger would be even dumber.

Usually, vendors DO get notified, but they quietly stuff it under the rug, or worse, ignore it completely. It usually takes public disclosure to get them to act. Note that Microsoft is not alone in this... I think only Linux and *BSD (because the source code is publicly viewable) will act immediately on a tip, or at worst will still publicly say why not. Firefox also acts fairly rapidly, for the same reasons.

Most proprietary vendors usually won't bother, unless they're forced to or the threat is imminent.

[MKenzie]

What makes you think that they didn't tell people about this months ago.

The scheduler bug has been there since the days of NT and was still working the last time I checked.

at HH:MM /interactive cmd.exe

[Inconnux]

You seem to forget that it was the public release of exploits that actually got Microsoft's attention and forced them to fix their bugs. People tried reporting the bugs to Microsoft and they did nothing for months and months... only the 'egg on their face' releasing of these exploits woke Microsoft up.

[alegr]

Never mind that such a law would be against the US Constitution.

[alegr]

"The scheduler bug has been there since the days of NT and was still working the last time I checked."

You need administrative privileges for that "bug". And if you have administrative privileges, you're a local god, anyway, you can already FUBAR your system in any mysterious way.

[shellcodes_coder]

Yo endangered os--snow leopard users, got anything to say? This is the OS that will rule!!

[stickfu]

yes..

http://www.electronista.com/articles/09/09/08/windows.7.returns.remote.bsod/

http://www.tomshardware.com/news/Windows-Seven-Vista-Exploit-DSoD,8620.html

[shellcodes_coder]

@stickfu: fake!! 7 is unaffected. Enjoying kernel panics and grey screen of death that your endangered os--snow leopard is giving to you?

[Random_Walk]

Actually, they're not fake per se - the RC and beta versions were affected, but the RTM version apparently isn't.

[stickfu]

Your OS has been prison bum raped....... again, by now you should be use to it, No, expecting it. OUCH!

[Lennron]

@stickfu

How has Windows been bum raped? Despite all the lies and attack ads that Apple floods the market with, Windows still holds over 90% of the desktop/laptop OS market. Sounds like an attempted bum rape that failed to me.

[stickfu]

this is full insertion..

http://seclists.org/fulldisclosure/2009/Sep/0039.html

[Mark_Anderson]

Right, so non-commercial pre-releases of a product may be affected by this issue if you turn off the Windows firewall which is enabled by default.

Awesome. Did you actually have anything there, *******?

[stickfu]

where does it say non commercial...

http://seclists.org/fulldisclosure/2009/Sep/0039.html

VI. SYSTEMS AFFECTED

Windows Vista/7 All (64b/32b|SP1/SP2 fully updated) and possibly Win Server 2008
as it use the same SMB2.0 driver (not tested).

**** drone

[ywkhgqo]

All the haters from yesterday's article can SHOVE IT.

[Random_Walk]

Eh? They dodged a bullet (barely)... I wouldn't be crowing too hard yet. Once Windows 7 RTM goes public on October 22nd, all bets are off.

[santuccie]

@Penguinisto:

Really? Vista has gone two years without a single remote exploit surfacing in the wild. You sound like it's XP that is going public next month. But even more amusingly, you sound angry that Windows 7 turns out not to be affected by the latest bulletin. Big deal! Even when it is affected by a vulnerability, its mitigations still make it almost impossible to exploit the vulnerability.

Sorry if you can't digest the thought that you're running the most vulnerable platform left, but whether or not you WANT to believe it doesn't change the fact that it's the truth. Are you that worried? Don't be. If the Mac gets bombarded like some people (like Nils) are predicting, and Apple takes too long to address the issue, nothing is stopping you from migrating back. A paycheck, maybe, but I doubt even that. You don't know enough about computers to be employed even by Apple.

[trboyden]

Normally vendors do get the opportunity to patch bugs, but the proprietary software vendors typically take 6 months or longer to get around to patching them, so an arbitrary reporting blackout window is fairly pointless. In the case of zero-day exploits such as this one, it's better the public is informed so they can take measures to protect themselves through firewalls or other methods. Besides this was a regression bug, a previously known and exploitable vulnerability, so the vendor had notification of the bug in the past and it is therefore their responsibility to keep it from popping up again in later versions of their software. Regression testing should be done before a product is released - in any form - to the public and this apparently didn't happen in this case. This applies equally to Microsoft, Apple, Linux, or any other software vendor. Microsoft in particular is known for their policies of security through obscurity, so the researchers are the public's only tool to keep the vendor's honest and making secure software.

[weegg]

Its too bad Windows7 has that upper bound ram memory limitation that snow leopard doesn't. OS X allows addressing up to 16 TB ram while 64bit Win7 only allows 792GB ram.

Too bad :-)

[rapier1]

Really? That's an issue for you? Do you have 16TB of RAM handy? Do you have a mobo you can put 16TB in? Will you ever? Look, the time line for TB RAM is still *years* (I'm saying 10 to 15) away at the consumer level. Right now its just pointless posturing and anyone getting worked up about it is either a crass partisan or doesn't know what the heck they are talking about.

[Vegaman_Dan]

It is a shame we don't have laptops with the capacity for 792Gb of memory. Perhaps when the hardware technology catches up this may be an issue, but ... well, it's going to be a very long time.

Neither Apple or PC's have any consumer equipment that can handle memory in this level so it's a moot point.

Too bad indeed.

[lazycat202]

LOL 16 TB?? I can afford to pay up to 5GB of memory on my Win7 laptop and desktop. 5GB is enough for me to play games and all kind of things.
yep! i might need 17TB to build a space ship and invite all Apple dudes to get aboard; with "up-in-the-sky" fees.

[Vegaman_Dan]

Just for giggles, I hit up newegg.com and looked through the pricing to see what it would cost to populate a system to 16Tb. At the bargain levels, it would only run $400,000.00. Not bad. On average for quality memory like Apple tends to use ($75/Gb) based on Apple memory pricing, then you shoot up to $1.2 million dollars.

A bargain! :)

Oh drat, I only have a $2 million dollar bill on me... got change?

[Mark_Anderson]

@Dan

LOL!

I love it when silly boys like weegg are put in their place.

[MeepMan]

Well, whoopee, now that I've bought all that ram (and possibly emptied the 20 nearest cash registers), I'm going to use it on a Mac? Waste. Stick it on a dual-boot Windows XP/7 RTM and Ubuntu Jaunty machine. Otherwise, that 16 TB of ram is wasted on an OS designed for rich kids to show off, and adults to make them feel like spoiled, rich kids.

Unfortunately, the only thing to show off is the price tag and the pathetic names (almost as bad as Vista). I mean, even if you addressed the 16 TB, there are no apps that would use that space (not counting bloatware)

[keano12]

Reply to him with Proof and facts, not with one-liners people. Mac Fanboys love it when people get irritated at them because they are too insecure on how much money they wasted on overpriced Macs. P.S. Seriously, Macs are pricey and a little bit over the top for maintenance...

[magnus33]

I find it terribly funny when they start talking about how secure snow leopard or the mac os is.

Vista came out in jan of 2007 and by December had 43 serious security flaws.
Leopard came out in October and by December had 243.

There are vastly more security holes now then vista and xp combined.
For any nonbelievers just go count them as there in every updated mac.

I own macs but i don't fall for all the hype and know just because the mac no a big target yet doesn't mean its secure.

[Lennron]

The only security Mac has is that people don't try to attack Macs. They make up such an insignificant portion of the market, and hackers know that Mac users are suffering enough with their over priced/under performing computer.

[Lerianis3]

Lennron, right in one. The only reason that Mac's don't have OODLES of viruses, spyware, etc. is because they are still an also-ran operating system that NO criminal wants to spend their time trying to break into, period and done with.
Once they are more than 15 to 25% of the market........ you will see malware for them EXPLODE!

[topanaris]

Interesting, an article about Microsoft and dear i say it ............... no Mac fanboys?

[Vegaman_Dan]

Oh, they are here. Just read through the comments.

[AppleSuxLeo]

I bet Jobs wished it did affect "7"...being the smug Awhole that he is.

[freebird1974]

"The flaw could allow an attacker to gain control of a system" this is what almost all of windows updates says. Windows is soooo riddled with hole it isn't funny. Every time they patch a hole 10 more show up. This shows that Microsoft is terrible at software development. I know bugs can come out of the woodwork but damn vista is already on it's second service pack and it's ONLY been out for 2 damn years. Windows 7 hasn't even been released yet and I hear there is bugs in it already.

Building rock-solid software takes time I know. Microsoft had 6 damn years to do it in with vista. Vista is almost as bad as Windows ME was. That shows ****-poor workmanship.

[deniceels]

It would be poor software development management, but given snow leopard came out with a service patch barely 2 weeks of it's release, and still breaks more softwares, that's just as poor. One problem is the size of the programme, just like a building: The larer a building gets, the more need to have tighter control over quality, but if it's huge, it gets harder, thus there're lack of tight control over everything, especially coordinations. Show me a huge/big company that hasn't it's flaws, and a small one. The bigger it is, the more obvious it becomes.

[shycelticwitch]

Silly is as silly does... you should read a few of your own comments.

[shycelticwitch]

Microsoft: Windows 7 not affected by latest flaw....yet... Give it time. If someone does NOT figure out a way to effectively attack this new OS, it will be a time for celebration. But I am not getting out my party hat until the dust settles. Since the OS hasn't even been released worldwide yet, no one knows for sure what will happen.

Until then, all of these comments (pro and con) are pointless.

[Lerianis3]

They are going to find a way to attack the OS..... that's a given. What matters is if the attack can be used to run non-user-wanted code on the machine and if it can be used to silently install malware.

[keano12]

To make things simple, Vista is still a good Operating system even with some flaws and Windows 7 will be the better OS but as the saying goes, "Nothing is Perfect." Only God and Jesus is perfect.