Windows 7 zero-day flaw reported by researcher


A security researcher has posted details of what he says is a zero-day vulnerability in Windows 7.

Laurence Gaffi posted proof of concept code of the vulnerability, which he said was able to remotely crash Windows 7 or Windows Server 2008 R2 on a local area network (LAN), or through Internet Explorer (IE).

On his blog, he stated that the bug triggered an infinite loop' on the server message block (SMB), a network file sharing protocol, without any authorisation or credentials needed.

He said that the bug was proof that Microsoft's security development lifecycle (SDL), a software development process that was encouraged to increase reliability, had failed.

Gaffi also mocked any belief that Windows 7 was the most secure operating system ever', saying: "Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting NBNS (NetBIOS Name Server) tricks."

"How funny," he added.

As there was no patch available, he recommended users close their SMB feature and ports, until a real audit is provided.

He claimed that he contacted the Microsoft Security Response Centre (MSRC) last week about the flaw, and that it acknowledged there was a problem.

Microsoft said in a statement that it was aware of rumours of a security bug affecting Windows 7 and Windows Server 2008 R2, and was currently investigating.

"New developments such as this security bug are taken very seriously and Microsoft will advise customers on the next steps following the investigation," it said.

Security researchers have already warned that Windows 7 is just as vulnerable to attack as previous systems.