Feeds

Creaky old Windows flaw rises, divides doommongers

It's either no biggie, or hot buttered death

Internet Security Threat Report 2014

A new Windows-based denial of service attacks reportedly exploits a 10-year old OS flaw to crash vulnerable systems.

Independent security experts downplay the likely impact of the bug even though 2X Software, the virtual computing firm that discovered the bug, is talking up its supposed seriousness. Versions of Windows from the latest Windows 7/Server 2008 versions down to Windows 2000/Server 2003 are affected by the flaw, according to 2X.

2X, which is not well known in the world of information security research, issued a press release over its discovery on Wednesday billing it "one of the biggest security vulnerabilities in the Windows OS for many years".

Beyond saying the bug can result in a blue screen and system reboot, 2X's release is scant on details. Independent security experts are suspicious of reading too much into 2X's claims.

"Given the immediate explanation it doesn't seem likely that we would even consider it a vulnerability - and if we do, then it only seems to be a local denial-of-service," said Thomas Kristensen, CSO of security notification firm Secunia. "This means that the most 'critical' scenario is where users [have] already got legal access to a terminal server or other multi user system which they can crash."

"If you can already run code on a system then you could do a zillion more useful things than crash it," adds Kristensen. "There are also many ways in which to crash a system if you can run code. Thus it is hard to see what's new here, except that blue screen of death is quite rare these days unless you have malware or a buggy hardware driver."

2X, which reckons that exploiting the flaw would be straightforward, has notified Microsoft about the vulnerability.

"With just a few lines of code an application can be created that will crash the whole Windows system," it said. "This flaw can be easily used inside malicious applications to generate a Denial of Service attack. The problem can be easily corrected within the OS code by validating the arguments passed to the API."

The warning from 2X follows just weeks after UK security firm PrevX wrongly blamed a Black Screen of Death problem on a recent Windows update back in December. Blue screen problems some experienced after applying Microsoft updates earlier this month were later put down to the presence of a rootkit on affected systems.

With this recent history in mind, it's perhaps best to wait for Microsoft's response rather than rushing to judgement on 2X's advisory press release. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
You dirty RAT! Hong Kong protesters infected by iOS, Android spyware
Did China fling remote access Trojan at Occupy Central?
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.