Browse Source

Press release

svn path=/trunk/; revision=13298
tags/stw2018
hugoroy 9 years ago
parent
commit
77e89db0d2
1 changed files with 115 additions and 0 deletions
  1. 115
    0
      news/2009/news-20091019-01.en.xhtml

+ 115
- 0
news/2009/news-20091019-01.en.xhtml View File

@@ -0,0 +1,115 @@
1
+<?xml version="1.0" encoding="UTF-8" ?>
2
+
3
+<html newsdate="2009-10-08">
4
+<head>
5
+  <title>
6
+        Windows 7 to hit consumers with known security problem
7
+  </title>
8
+</head>
9
+<body>
10
+
11
+  <h1>FSFE: Microsoft's neglect highlights value of Free Software</h1>
12
+
13
+  <p newsteaser="yes">
14
+  Microsoft's latest operating system, Windows 7, is currently
15
+  shipping with a potentially serious defect. Ahead of the product's
16
+  global launch on Thursday, Germany's federal IT security agency
17
+  (BSI) has issued a warning <a href="#foot1" id="anchor1">[1]</a> about a high-risk vulnerability in
18
+  the SMB2 protocol. This can be exploited over the network to shut
19
+  down a computer with a Denial of Service (DoS) attack.
20
+</p><p>
21
+  This incident illustrates how proprietary software often poses a
22
+  security risk. "Only Microsoft can fix the problem. But they have
23
+  apparently closed their eyes to this vulnerability for a long time,
24
+  hoping that it wouldn't spoil the retail launch of Windows 7 this
25
+  Thursday," says Karsten Gerloff, President of the Free Software
26
+  Foundation Europe (FSFE).
27
+</p><p>
28
+  Following responsible disclosure practices, the BSI has not
29
+  published details in its announcement (<a href="#bsi">English translation below</a>)
30
+  from October 6. While it is generally a good strategy to give
31
+  vendors time to repair vulnerabilities before announcing them
32
+  publicly, in this case the BSI should consider publishing the full
33
+  details of the problem to put more pressure on Microsoft. The agency
34
+  says that the security hole affects Windows 7 and Windows Vista in
35
+  both their 32-bit and 64-bit versions, as well as Windows Server
36
+  2008. This vulnerability is different from an earlier SMB2 issue <a href="#foot2" id="anchor2">[2]</a>
37
+  for which Microsoft published the patch MS09-050 in September.
38
+</p><p>
39
+  FSFE's Gerloff explains: "Microsoft's software locks its users in,
40
+  so they have to stay even if the company knowingly exposes them to a
41
+  security risk like this. With Free Software like GNU/Linux -
42
+  software that you can study, share and improve - several independent
43
+  entities can fix the problem. Consumers should not support
44
+  Microsoft's negligent behaviour by buying its products. Free
45
+  Software offers an alternative, and is available from many
46
+  independent vendors."
47
+</p><p>
48
+  Microsoft has not yet responded to the BSI's warning. There is no
49
+  indication that the company will manage to fix the gaping hole in
50
+  its flagship operating system before the global launch of Windows 7
51
+  this Thursday. The vulnerability remains open even after Microsoft's
52
+  October patch day.
53
+</p><p>
54
+  The company's security practices have long been a cause for
55
+  concern. In just one recent incident <a href="#foot3" id="anchor3">[3]</a>, Microsoft knew about
56
+  another vulnerability in SMB2 since July 2009. While it did fix the
57
+  problem in the final version of Windows 7 in early August, it did
58
+  nothing to repair the same problem in Windows Vista or Windows
59
+  Server 2008 until an independent security researcher went public
60
+  about the issue. German IT news site Heise speculates that the issue
61
+  ended up on a Microsoft-internal list of low-priority bugs which the
62
+  company tries to fix silently, in order to avoid negative publicity.
63
+</p><p>
64
+
65
+<a href="#anchor1" id="foot1">[1]</a> <a href="https://www.cert-bund.de/advisoryshort/CB-K09-0315%20UPDATE%201">https://www.cert-bund.de/advisoryshort/CB-K09-0315%20UPDATE%201</a><br />
66
+<a href="#anchor2" id="foot2">[2]</a> <a href="http://www.microsoft.com/technet/security/advisory/975497.mspx">http://www.microsoft.com/technet/security/advisory/975497.mspx</a><br />
67
+<a href="#anchor3" id="foot3">[3]</a> <a href="http://www.h-online.com/security/news/item/Microsoft-has-known-of-the-SMB2-hole-for-some-time-832175.html">http://www.h-online.com/security/news/item/Microsoft-has-known-of-the-SMB2-hole-for-some-time-832175.html</a>
68
+</p>
69
+
70
+ 
71
+
72
+<hr />
73
+
74
+<h2 id="bsi">Translation of the BSI's security advisory: </h2>
75
+<p>
76
+Threat level: "4 high risk" (out of 1-5, with 5 being "very high").<br />
77
+Title:  Microsoft Windows SMB2-Protocol: Another vulnerability allows denial
78
+of service (Windows Vista and Windows 7 vulnerable).<br />
79
+  Date:  2009-10-06<br />
80
+  Software:  Microsoft Windows 7, Microsoft Windows 7 x64 Edition, Microsoft
81
+Windows Vista / SP1 / SP2, Microsoft Windows Vista x64 Edition / SP1 / SP2,
82
+Microsoft Windows Server 2008<br />
83
+  Platform:  Windows<br />
84
+  Effect:  Denial-of-Service<br />
85
+  Remoteexploitable:  Yes<br />
86
+  Risk:  high<br />
87
+  Reference:   internal research<br />
88
+Description:
89
+</p>
90
+<p>
91
+Server Message Block (SMB) is a protocol which enables shared access
92
+to printers and files. SMB2 is a new version of this protocol, which
93
+was introduced with Windows Vista and Windows Server 2008, and which
94
+is also available on Windows 7. Current implementations of SMB2 are
95
+affected by this vulnerability. This is a new vulnerability, not the
96
+one described in Microsoft Security Advisory 975497. The listed
97
+operating systems can therefore still be successfully attacked even
98
+after installation of the updates of Microsoft's October patchday
99
+(MS09-050). 
100
+</p><p>
101
+Currently there is no update or patch available from the vendor. The
102
+only recommended actions are to be aware of and track the
103
+vulnerability. As a workaround it can only be recommended to limit
104
+access to SMB2 servers to trusted systems by firewalls, or to disable
105
+the SMB2 service.
106
+	</p>
107
+
108
+  </body>
109
+  <timestamp>$Date$ $Author$</timestamp>
110
+</html>
111
+<!--
112
+Local Variables: ***
113
+mode: xml ***
114
+End: ***
115
+-->

Loading…
Cancel
Save