Source files of fsfe.org, pdfreaders.org, freeyourandroid.org, ilovefs.org, drm.info, and test.fsfe.org. Contribute: https://fsfe.org/contribute/web/ https://fsfe.org

news-20091019-01.en.xhtml 5.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116
  1. <?xml version="1.0" encoding="UTF-8" ?>
  2. <html newsdate="2009-10-19">
  3. <head>
  4. <title>
  5. Windows 7 to hit consumers with known security problem
  6. </title>
  7. </head>
  8. <body>
  9. <h1>Windows 7 to hit consumers with known security problem</h1>
  10. <h2>FSFE: Microsoft's neglect highlights value of Free Software</h2>
  11. <p newsteaser="yes">
  12. Microsoft's latest operating system, Windows 7, is currently
  13. shipping with a potentially serious defect. Ahead of the product's
  14. global launch on Thursday, Germany's federal IT security agency
  15. (BSI) has issued a warning <a href="#foot1" id="anchor1">[1]</a> about a high-risk vulnerability in
  16. the SMB2 protocol. This can be exploited over the network to shut
  17. down a computer with a Denial of Service (DoS) attack.
  18. </p><p>
  19. This incident illustrates how proprietary software often poses a
  20. security risk. "Only Microsoft can fix the problem. But they have
  21. apparently closed their eyes to this vulnerability for a long time,
  22. hoping that it wouldn't spoil the retail launch of Windows 7 this
  23. Thursday," says Karsten Gerloff, President of the Free Software
  24. Foundation Europe (FSFE).
  25. </p><p>
  26. Following responsible disclosure practices, the BSI has not
  27. published details in its announcement (<a href="#bsi">English translation below</a>)
  28. from October 6. While it is generally a good strategy to give
  29. vendors time to repair vulnerabilities before announcing them
  30. publicly, in this case the BSI should consider publishing the full
  31. details of the problem to put more pressure on Microsoft. The agency
  32. says that the security hole affects Windows 7 and Windows Vista in
  33. both their 32-bit and 64-bit versions, as well as Windows Server
  34. 2008. This vulnerability is different from an earlier SMB2 issue <a href="#foot2" id="anchor2">[2]</a>
  35. for which Microsoft published the patch MS09-050 in September.
  36. </p><p>
  37. FSFE's Gerloff explains: "Microsoft's software locks its users in,
  38. so they have to stay even if the company knowingly exposes them to a
  39. security risk like this. With Free Software like GNU/Linux -
  40. software that you can study, share and improve - several independent
  41. entities can fix the problem. Consumers should not support
  42. Microsoft's negligent behaviour by buying its products. Free
  43. Software offers an alternative, and is available from many
  44. independent vendors."
  45. </p><p>
  46. Microsoft has not yet responded to the BSI's warning. There is no
  47. indication that the company will manage to fix the gaping hole in
  48. its flagship operating system before the global launch of Windows 7
  49. this Thursday. The vulnerability remains open even after Microsoft's
  50. October patch day.
  51. </p><p>
  52. The company's security practices have long been a cause for
  53. concern. In just one recent incident <a href="#foot3" id="anchor3">[3]</a>, Microsoft knew about
  54. another vulnerability in SMB2 since July 2009. While it did fix the
  55. problem in the final version of Windows 7 in early August, it did
  56. nothing to repair the same problem in Windows Vista or Windows
  57. Server 2008 until an independent security researcher went public
  58. about the issue. German IT news site Heise speculates that the issue
  59. ended up on a Microsoft-internal list of low-priority bugs which the
  60. company tries to fix silently, in order to avoid negative publicity.
  61. </p><p>
  62. <a href="#anchor1" id="foot1">[1]</a> <a href="https://www.cert-bund.de/advisoryshort/CB-K09-0315%20UPDATE%201">Germany's federal IT security agency (BSI) has issued a warning</a><br />
  63. <a href="#anchor2" id="foot2">[2]</a> <a href="http://www.microsoft.com/technet/security/advisory/975497.mspx">Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution</a><br />
  64. <a href="#anchor3" id="foot3">[3]</a> <a href="http://www.h-online.com/security/news/item/Microsoft-has-known-of-the-SMB2-hole-for-some-time-832175.html"> Microsoft has known of the SMB2 hole for some time </a>
  65. </p>
  66. <hr />
  67. <h2 id="bsi">Translation of the BSI's security advisory: </h2>
  68. <p>
  69. Threat level: "4 high risk" (out of 1-5, with 5 being "very high").<br />
  70. Title: Microsoft Windows SMB2-Protocol: Another vulnerability allows denial
  71. of service (Windows Vista and Windows 7 vulnerable).<br />
  72. Date: 2009-10-06<br />
  73. Software: Microsoft Windows 7, Microsoft Windows 7 x64 Edition, Microsoft
  74. Windows Vista / SP1 / SP2, Microsoft Windows Vista x64 Edition / SP1 / SP2,
  75. Microsoft Windows Server 2008<br />
  76. Platform: Windows<br />
  77. Effect: Denial-of-Service<br />
  78. Remoteexploitable: Yes<br />
  79. Risk: high<br />
  80. Reference: internal research<br />
  81. Description:
  82. </p>
  83. <p>
  84. Server Message Block (SMB) is a protocol which enables shared access
  85. to printers and files. SMB2 is a new version of this protocol, which
  86. was introduced with Windows Vista and Windows Server 2008, and which
  87. is also available on Windows 7. Current implementations of SMB2 are
  88. affected by this vulnerability. This is a new vulnerability, not the
  89. one described in Microsoft Security Advisory 975497. The listed
  90. operating systems can therefore still be successfully attacked even
  91. after installation of the updates of Microsoft's October patchday
  92. (MS09-050).
  93. </p><p>
  94. Currently there is no update or patch available from the vendor. The
  95. only recommended actions are to be aware of and track the
  96. vulnerability. As a workaround it can only be recommended to limit
  97. access to SMB2 servers to trusted systems by firewalls, or to disable
  98. the SMB2 service.
  99. </p>
  100. </body>
  101. <timestamp>$Date$ $Author$</timestamp>
  102. </html>
  103. <!--
  104. Local Variables: ***
  105. mode: xml ***
  106. End: ***
  107. -->