Microsoft last Friday issued a security advisory saying it is looking into reports of a vulnerability that could freeze up computers running Windows 7.
Believed to be the first zero-day vulnerability - meaning malicious code that could be used to harm or disable a system for which there is no patch available - for Windows 7 since the operating system was released on Oct. 22, the threat also affects Windows Server 2008 R2.
According to Microsoft's security advisory, this denial-of-service vulnerability lies in the Server Message Block protocol, an application-layer network protocol used for communication between nodes on a network. While the vulnerability doesn't allow for remote control of a PC or for malicious code to be installed on a user's system, the vendor says it is aware that detailed code for exploiting the vulnerability has been published.
Microsoft says it knows of no instances where the vulnerability has lead to an attack on a user's PC, but is "actively monitoring this situation to keep customers informed and to provide customer guidance as necessary," according to the advisory.
The company did not say it is actively working on a patch to fix the vulnerability, adding it may do so if it decides such action is necessary to protect its customers. The patch could come as part of the company's monthly Patch Tuesday release, or as an "out-of-cycle" security update, the advisory says.
Microsoft adds that this vulnerability was not "responsibly disclosed," assumedly referring to a blog post and e-mail from Canadian researcher Laurent Gaffie who made public the vulnerability last Wednesday. Microsoft's security advisory cites the "commonly accepted practice" of reporting a vulnerability to the maker of the product before releasing it to the public. "This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed," reads the advisory.
Gaffie explained in an e-mail that he was reporting another, not-yet-disclosed security issue to the Microsoft Security Response Center (MSRC) last week that the company confirmed, but told him they were not going to post a security advisory about. Instead, MSRC said they might add a patch for that security issue in a service pack, which Gaffie referred to as "silent patching." And so Gaffie posted the Windows 7 vulnerability proof-of-concept exploit code to his blog and to the Full Disclosure security mailing list.
Only registered users can write comments. Please login or register.