Security Watch

Windows 7 Gets Its First Bug

Plus: hackers try to bypass Windows 7's WAT; Internet Explorer attack can hurt the kernel.

In an inauspicious beginning to the week, the first zero-day bug for Windows 7 has emerged.

The bug touches on Microsoft's Server Message Block (SMB) program -- specifically, SMBv1 and SMBv2 on Windows 7 and Windows Server 2008 R2. Microsoft has issued a security advisory describing workarounds, but says most users would be protected from attacks by blocking two ports at the firewall.

This isn't the first time SMB issues have popped up. In the last three months, there've been instances of exploits affecting the program through different attack vectors, with different implications.

This latest exploit is of the denial-of-service variety and, if effective, would deny a user or administrator entry, or change or delete access into the program.

Windows 7 Without WAT?
According to the blog My Digital Life, hackers have been trying to figure out how to bypass Windows Activation Technologies (WAT) in Windows 7.

WAT is the activation requirement for an installed Windows 7 system, conceived by Microsoft's anti-piracy team as a means to curtail rogue installations of the OS on unlicensed PCs.

Now, My Digital Life and other sites are reporting that so-called bypass commands such as "RemoveWAT" and "ChewWGA" are spreading on the Internet and could help users install Windows 7 without a product key.

Of course, the main drawback of such an installation -- other than it being illegal -- is that hackers can use corrupt instances of Windows 7 to build code across network bridges and also create a veil of anonymity.

Microsoft said as much in an e-mail statement, saying that such instances of Windows 7 could "contain malware." The software giant also claimed to be "aware of this workaround and [is] already working to address it."

The Kernel Is the Key
Security gadflies like Jason Miller of Shavlik Technologies and H.D. Moore, creator of the popular open source exploit clearinghouse Metasploit and now chief security officer of Rapid7, think proof-of-concept code may be in the works to attack the Windows kernel, the operative heart of the OS.

That's why experts are keeping their eyes on Embedded OpenType (EOT) fonts, the focal point of a recently patched critical vulnerability in this month's Patch Tuesday slate. Hackers can use EOT fonts on Internet Explorer pages, potentially tricking users into clicking on them and thus triggering exploit code.

Microsoft said in a security bulletin that "the most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font."

Conventional wisdom has hackers moving toward attacking applications, preferring to enter a network that way instead of through more sturdy OSes. But IE is an application that thinks and sometimes acts like an OS, and with the growth of browser-borne enterprise projects, an attack on IE can lead directly to the kernel.

In an e-mailed statement regarding last week's patch release, Shavlik's Miller said an exploit would hit the wild "sooner than later." And for his part, Rapid7's Moore said he was actually testing potential proofs-of-concept -- or, to use his words, "working on ways to test the critical flaw against the MS patch."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Sun, Feb 7, 2010 Acai Elite Extreme New York

Great now Window 7 make more interesting and useful for us.

Tue, Dec 1, 2009

It's funny how these articles are written by people who pretend to know what they're talking about, when really it's just rephrased information from other sites.

Fri, Nov 20, 2009 Jorge Portales Mexico City

Hi, about two weeks ago a friend told me that he installed a W7 Betha version in his laptop, founding that when he was at the garden using the "Wireless Networks searching Toll", he discovered that besides the normal information related to the SSID, he was able to see the User Id and the Passowrd, it was true for any wireless net aound his home; Who has the bug, the W7 or the 2WIRE SDL routers of the Telephone Company?Regards

Tue, Nov 17, 2009 Bruce Alcock Norman, OK

I hate the "Continue reading" links, most especially when they do not work. Please consider finishing at least articles in your email. The alternative is to click UNSUBSCRIBE - as soone as the links are working again.

Tue, Nov 17, 2009 Ken Gharibian Los Angeles

...most users would be protected from attacks by blocking two ports at the firewall... Which ports?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.