Feeds

Win 7 remote kernel crasher code released

File and print freeze menace revealed

Protecting against web application threats using SSL

Microsoft has reportedly begun investigating a potentially nasty denial of service vulnerability affecting Windows 7.

A security bug in windows 7 and Windows 2008R2 makes it possible to lock up affected systems. The crash would happen without a Blue Screen of Death or other visible indication that anything was amiss.

The system freeze can be triggered remotely by sending malformed packets to targeted systems - specifically a NetBIOS (Network Basic Input/Output System) header that specifies an incoming SMB packet is either four bytes smaller or larger than it actually is. Server Message Block (SMB) is a network protocol used to provide shared access to files and printers.

Proof of concept code was posted by white hat security researcher Laurent Gaffié in a blog entry on Wednesday. "Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting nbns tricks, [with] no user interaction," Gaffié writes.

Gaffié previously highlighted flaws in Microsoft's implementation of SMB that created an even greater code execution risk back in September.

While it might be used to knock over targeted systems, there's no evidence that the latest flaw lends itself to code injection, a far more serious type of problem. News of the bug broke a day after Microsoft's regular Patch Tuesday updates came and went.

Microsoft's six patches on Tuesday included a fix (MS09-065) for a critical hole in the Windows kernel of Windows 2000, Windows XP and Windows Server 2003. The same update had an "important" (ie lesser risk) patch for Vista and Windows Server 2008. Windows 7 users were not affected by either this or two other Windows-related security updates released earlier this week.

Redmond's security gnomes have reportedly begun investigating the Windows 7 denial of service risk, but Microsoft UK was unable to shed extra light on the issue this morning. We'll update this story as and when new details emerge. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.