RealTime IT News

Windows 7 Won't Include Zero-Day Flaw: Microsoft

Following confirmation by a passel of security experts, Microsoft now admits that a key file-sharing protocol in several recent versions of Windows suffers from a zero-day vulnerability -- which also affects a pre-release version of Windows 7.

However, the company remains adamant that the hole does not impact the final version of Windows 7 that is just about to hit store shelves.

Microsoft (NASDAQ: MSFT) on Tuesday issued a Security Advisory warning users and IT administrators of a "possible vulnerability" in SMB2 (System Message Block Version 2) that could let an attacker "take complete control of an affected system."

Despite the "possible" label, Microsoft has said it is working on a patch for the problem and will release it when it's ready.

At that time, the security researcher who discovered the security hole -- Laurent Gaffie -- claimed that in addition to all versions of Vista and probably Windows Server 2008, the bug also affects Windows 7, albeit inconsistently.

Microsoft said it has now pinned the affected versions down more precisely.

"Microsoft found that Windows Vista, Windows Server 2008 and Windows 7 RC [Release Candidate] are affected by this vulnerability while Windows 7 RTM [Released to Manufacturing], Windows Server 2008 R2, Windows XP and Windows 2000 are not," Christopher Budd, security response communications lead, said in an e-mail to InternetNews.com.

According to Microsoft, Windows XP and Windows 2000 are not at risk because they use an older version of the protocol, SMB1. Still, the sticky part is figuring out which later releases of Windows are vulnerable -- particularly, when it comes to the various permutations of Windows 7.

Microsoft said that Windows 7 RC -- the final prerelease version of Windows 7 -- has the leaky code. Still, the RTM version -- the final version of Windows 7 that Microsoft has been giving out to PC OEMs and early-access subscribers for more than a month -- does not have the hole because the company's developers had already fixed its SMB2 implementation.

That doesn't necessarily mean that at least some early Windows 7 users may be at risk. The Release Candidate's availability expired Aug. 20, although the code will continue to run until next June.

Additionally, Windows 2008 has the unpatched SMB2 code, while Windows 2008 R2 (Release 2) contains the fixed SMB2 protocol.

Meanwhile, descriptions of the exploit's danger have escalated overnight as well. Originally, Gaffie described what he thought was a successful denial-of-service (DoS) attack, causing the system to crash. However, other hackers and security experts have been able demonstrate that the exploit could be used to take over the user's computer -- a fact that Microsoft verified in its advisory.

While users and administrators wait for the patch, Microsoft has published two workarounds for the problem. One is to disable SMB2 entirely. The second is to disable the two communications ports on the firewall that support SMB operations -- ports 139 and 445. That causes more than a dozen features to cease functioning, including file and print sharing.

Microsoft has not given a schedule for the availability of the upcoming patch.