A security researcher has posted details of what he says is a zero-day vulnerability in Windows 7.
Laurence Gaffi posted proof of concept code of the vulnerability, which he said was able to remotely crash Windows 7 or Windows Server 2008 R2 on a local area network (LAN), or through Internet Explorer (IE).
On his blog, he stated that the bug triggered an infinite loop' on the server message block (SMB), a network file sharing protocol, without any authorisation or credentials needed.
He said that the bug was proof that Microsoft's security development lifecycle (SDL), a software development process that was encouraged to increase reliability, had failed.
Gaffi also mocked any belief that Windows 7 was the most secure operating system ever', saying: "Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting NBNS (NetBIOS Name Server) tricks."
"How funny," he added.
As there was no patch available, he recommended users close their SMB feature and ports, until a real audit is provided.
He claimed that he contacted the Microsoft Security Response Centre (MSRC) last week about the flaw, and that it acknowledged there was a problem.
Microsoft said in a statement that it was aware of rumours of a security bug affecting Windows 7 and Windows Server 2008 R2, and was currently investigating.
"New developments such as this security bug are taken very seriously and Microsoft will advise customers on the next steps following the investigation," it said.
Security researchers have already warned that Windows 7 is just as vulnerable to attack as previous systems.
-
How AI code is changing software developmentITPro Podcast At firms like OpenAI the majority of code is now generated with AI tools
-
Equinix expands Fabric Geo Zones in data sovereignty driveNews The firm says it can provide the first network-level, sovereignty enforcement layer that operates across interconnected clouds and providers
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Organizations hit by 90 zero-day vulnerabilities last yearNews Google Threat Intelligence researchers warn that edge devices and security appliances are prime entry points
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
