FSFE
/
fsfe-website
Bevaka 16
Stjärnmärk 19
Förgrening 42
Kod Ärenden 57 Pull-förfrågningar 8 Släpp 2 Wiki Aktiviteter
Source files of fsfe.org, pdfreaders.org, freeyourandroid.org, ilovefs.org, drm.info, and test.fsfe.org. Contribute: https://fsfe.org/contribute/web/ https://fsfe.org
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
36046 Incheckningar
13 Grenar
Träd: 87cd5fe13a
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '87cd5fe13a'
${ noResults }
fsfe-website/news/2009/news-20091019-01.en.xhtml

news-20091019-01.en.xhtml 5.5KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116 
  1. <?xml version="1.0" encoding="UTF-8" ?>

  2. 

  3. <html newsdate="2009-10-19">

  4. <head>

  5.   <title>

  6.         Windows 7 to hit consumers with known security problem

  7.   </title>

  8. </head>

  9. <body>

  10. 

  11.   <h1>Windows 7 to hit consumers with known security problem</h1>

  12. 	<h2>FSFE: Microsoft's neglect highlights value of Free Software</h2>

  13. 

  14.   <p newsteaser="yes">

  15.   Microsoft's latest operating system, Windows 7, is currently

  16.   shipping with a potentially serious defect. Ahead of the product's

  17.   global launch on Thursday, Germany's federal IT security agency

  18.   (BSI) has issued a warning <a href="#foot1" id="anchor1">[1]</a> about a high-risk vulnerability in

  19.   the SMB2 protocol. This can be exploited over the network to shut

  20.   down a computer with a Denial of Service (DoS) attack.

  21. </p><p>

  22.   This incident illustrates how proprietary software often poses a

  23.   security risk. "Only Microsoft can fix the problem. But they have

  24.   apparently closed their eyes to this vulnerability for a long time,

  25.   hoping that it wouldn't spoil the retail launch of Windows 7 this

  26.   Thursday," says Karsten Gerloff, President of the Free Software

  27.   Foundation Europe (FSFE).

  28. </p><p>

  29.   Following responsible disclosure practices, the BSI has not

  30.   published details in its announcement (<a href="#bsi">English translation below</a>)

  31.   from October 6. While it is generally a good strategy to give

  32.   vendors time to repair vulnerabilities before announcing them

  33.   publicly, in this case the BSI should consider publishing the full

  34.   details of the problem to put more pressure on Microsoft. The agency

  35.   says that the security hole affects Windows 7 and Windows Vista in

  36.   both their 32-bit and 64-bit versions, as well as Windows Server

  37.   2008. This vulnerability is different from an earlier SMB2 issue <a href="#foot2" id="anchor2">[2]</a>

  38.   for which Microsoft published the patch MS09-050 in September.

  39. </p><p>

  40.   FSFE's Gerloff explains: "Microsoft's software locks its users in,

  41.   so they have to stay even if the company knowingly exposes them to a

  42.   security risk like this. With Free Software like GNU/Linux -

  43.   software that you can study, share and improve - several independent

  44.   entities can fix the problem. Consumers should not support

  45.   Microsoft's negligent behaviour by buying its products. Free

  46.   Software offers an alternative, and is available from many

  47.   independent vendors."

  48. </p><p>

  49.   Microsoft has not yet responded to the BSI's warning. There is no

  50.   indication that the company will manage to fix the gaping hole in

  51.   its flagship operating system before the global launch of Windows 7

  52.   this Thursday. The vulnerability remains open even after Microsoft's

  53.   October patch day.

  54. </p><p>

  55.   The company's security practices have long been a cause for

  56.   concern. In just one recent incident <a href="#foot3" id="anchor3">[3]</a>, Microsoft knew about

  57.   another vulnerability in SMB2 since July 2009. While it did fix the

  58.   problem in the final version of Windows 7 in early August, it did

  59.   nothing to repair the same problem in Windows Vista or Windows

  60.   Server 2008 until an independent security researcher went public

  61.   about the issue. German IT news site Heise speculates that the issue

  62.   ended up on a Microsoft-internal list of low-priority bugs which the

  63.   company tries to fix silently, in order to avoid negative publicity.

  64. </p><p>

  65. 

  66. <a href="#anchor1" id="foot1">[1]</a> <a href="https://www.cert-bund.de/advisoryshort/CB-K09-0315%20UPDATE%201">Germany's federal IT security agency (BSI) has issued a warning</a><br />

  67. <a href="#anchor2" id="foot2">[2]</a> <a href="http://www.microsoft.com/technet/security/advisory/975497.mspx">Microsoft Security Advisory (975497): Vulnerabilities in SMB Could Allow Remote Code Execution</a><br />

  68. <a href="#anchor3" id="foot3">[3]</a> <a href="http://www.h-online.com/security/news/item/Microsoft-has-known-of-the-SMB2-hole-for-some-time-832175.html"> Microsoft has known of the SMB2 hole for some time </a>

  69. </p>

  70. 

  71.  

  72. 

  73. <hr />

  74. 

  75. <h2 id="bsi">Translation of the BSI's security advisory: </h2>

  76. <p>

  77. Threat level: "4 high risk" (out of 1-5, with 5 being "very high").<br />

  78. Title:  Microsoft Windows SMB2-Protocol: Another vulnerability allows denial

  79. of service (Windows Vista and Windows 7 vulnerable).<br />

  80.   Date:  2009-10-06<br />

  81.   Software:  Microsoft Windows 7, Microsoft Windows 7 x64 Edition, Microsoft

  82. Windows Vista / SP1 / SP2, Microsoft Windows Vista x64 Edition / SP1 / SP2,

  83. Microsoft Windows Server 2008<br />

  84.   Platform:  Windows<br />

  85.   Effect:  Denial-of-Service<br />

  86.   Remoteexploitable:  Yes<br />

  87.   Risk:  high<br />

  88.   Reference:   internal research<br />

  89. Description:

  90. </p>

  91. <p>

  92. Server Message Block (SMB) is a protocol which enables shared access

  93. to printers and files. SMB2 is a new version of this protocol, which

  94. was introduced with Windows Vista and Windows Server 2008, and which

  95. is also available on Windows 7. Current implementations of SMB2 are

  96. affected by this vulnerability. This is a new vulnerability, not the

  97. one described in Microsoft Security Advisory 975497. The listed

  98. operating systems can therefore still be successfully attacked even

  99. after installation of the updates of Microsoft's October patchday

  100. (MS09-050). 

  101. </p><p>

  102. Currently there is no update or patch available from the vendor. The

  103. only recommended actions are to be aware of and track the

  104. vulnerability. As a workaround it can only be recommended to limit

  105. access to SMB2 servers to trusted systems by firewalls, or to disable

  106. the SMB2 service.

  107. 	</p>

  108. 

  109.   </body>

  110.   <timestamp>$Date$ $Author$</timestamp>

  111. </html>

  112. <!--

  113. Local Variables: ***

  114. mode: xml ***

  115. End: ***

  116. -->