Microsoft won't fix Windows 7 crash bug next week
Just one bug fix in quiet Jan. 12 update, 'critical' for Windows 2000 only
Computerworld - Microsoft today said it will deliver a single security update on Tuesday to patch just one vulnerability in Windows.
However, the company acknowledged that it does not yet have a fix for a crippling bug in Windows 7 that went public nearly two months ago.
The expected update will patch a vulnerability rated "critical" -- Microsoft's most serious rating in its four-step scoring system -- in Windows 2000. The bug also affects Windows XP, Vista and Windows 7, as well as Windows Server 2003, Server 2008 and Server 2008 R2, but is tagged as "low" for those editions.
"The first thing that came to mind was a denial-of-service vulnerability for the newer [operating systems], and a remote code execution on Windows 2000," said Andrew Storms, director of security operations at nCircle Network Security.
Microsoft downplayed the threat even to Windows 2000 users. "The Exploitability Index rating for this issue will not be high, which lowers the overall risk," said Jerry Bryant, a Microsoft security spokesman, in a post to the company's security response center blog today.
Storms welcomed next week's light patch load, which follows several months of multiple updates: Microsoft set a security record in October when it patched 34 vulnerabilities in 13 separate updates, for example. "It's nice to have a light month, especially with the uptick in Adobe vulnerabilities," said Storms, referring to a bug in Adobe's popular PDF software that is also slated to be patched Jan. 12.
Adobe, which last summer committed to releasing security updates for Reader and Acrobat each quarter, will also patch bugs next Tuesday. Adobe published its own pre-patch notification today, but as is its practice, declined to say how many vulnerabilities, other than the one now being used by hackers, will be addressed.
For its part, Microsoft is skipping one patch next week, Bryant confirmed today: The company will not fix an outstanding denial-of-service vulnerability in Windows 7 and Windows Server 2008 R2. "We are still working on an update for the issue at this time," he said.
In mid-November, Microsoft confirmed that the bug in SMB (Server Message Block), a Microsoft-made network file and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines. Microsoft has maintained that the vulnerability cannot be used to hijack PCs.
The Windows 7 flaw was first reported by Canadian researcher Laurent Gaffie Nov. 11, 2009, just a day after Microsoft shipped that month's patches, when he published proof-of-concept attack code to a security mailing list. According to Gaffie, exploiting the flaw crashes Windows 7 and Server 2008 R2 systems so thoroughly that the only recourse is to manually power off the computers.
"From a public [relations] perspective, I would have expected Microsoft to patch the SMB bug this month," said Storms. "On the other hand, I'm not surprised they won't, since it's only a denial-of-service bug."
Microsoft will release the security update at approximately 1 p.m. ET on Jan 12.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to email@example.com or subscribe to Gregg's RSS feed .
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts