The Microsoft Tax: Windows 7 zero-day flaw enables attackers to cripple PCs; Macintosh unaffected

The New Mac mini “Microsoft late on Friday confirmed that an unpatched vulnerability exists in Windows 7, but downplayed the problem, saying most users would be protected from attack by blocking two ports on their firewall,” Gregg Keizer reports for Computerworld.

“In a security advisory, Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines,” Keizer reports. “The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog. According to Gaffie, exploiting the flaw crashes Windows 7 and Server 2008 R2 systems so thoroughly that the only recourse is to manually power off the computers.”

Keizer reports, “Attacks could be aimed at any browser, not just Internet Explorer (IE), Microsoft warned. After tricking users into visiting a malicious site or a previously-compromised domain, hackers could feed them specially-crafted URIs (uniform resource identifier), and then crash their PCs with malformed SMB packets.”

Keizer reports, “Microsoft said it may patch the problem, but didn’t spell out a timetable or commit to an out-of-cycle update before the next regularly-scheduled Patch Tuesday of Dec. 8. Instead, the company suggested users block TCP ports 139 and 445 at the firewall. Doing so, however, would disable browsers as well as a host of critical services, including network file-sharing and IT group policies.”

MacDailyNews Take: Oh, that’s convenient. Who needs to browse the Web with their PC, anyway? Just wait until December 8th. Good thing you “saved” $69 on that shitastic Dell laptop instead of getting that Apple MacBook you really wanted, huh, Lauren? Lauren? Oh, Laaauuuren?

Full article here.

MacDailyNews Take:

Direct link via YouTube here.

29 Comments

  1. “…saying most users would be protected from attack by blocking two ports on their firewall,”

    Ah, yes. Very user-friendly. Perhaps they should include that in their commercials — “Win 7 was made by me… and btw be sure to block two ports on your firewall, and don’t forget to open ipconfig and blah blah blah…” Windows is such a POS.

  2. the only reason that we are forced to use the network layers of the OSI for security is because Microsoft sucks. If they simply did things like make applications that didn’t have functionality problems, we wouldn’t have to block traffic.

    properly made applications would reject malformed data on their input port. But alas, thanks to everyone being paranoid, we have to modify our networks to protect users from the shit products that they use.

    i have had Macs on the internet since 1995 – i have never turned on a firewall or used a piece of anti-virus software. I have run mail and email servers on them as well. I have seen millions of attacks on these machines, but never once was i ever broached because i didn’t chose to use shit products from a shit company.

  3. According to Gaffie, exploiting the flaw crashes Windows 7 and Server 2008 R2 systems so thoroughly that the only recourse is to manually power off the computers.

    Are you kidding? Pulling the plug is the only way I can log out. Ever.

  4. How can Microsoft “downplay” a vulnerability which requires users to block ports on their firewall that will cripple their web browsers?

    Microsoft said it may patch the problem,

    …”may”?? What, if they happen to feel like it?

    </i>but didn’t spell out a timetable or commit to an out-of-cycle update</i>

    Oh, well no hurry guys, don’t rush or anything… sheesh.

  5. Hi Grandma,

    Its almost Tuesday and close to another patch-day for your computer. Good news … you don’t need to call me this week (BTW, just to bring up something we talked about last time, 9am in NY is not noon in CA). Anyway, with your upgrade to Vista, Microsoft has a much improved patch program. They now have a “yeah, right” or “as if!” policy, adapting some of the more insightful technological theories from Valley Girls, Inc. So, no more patches! Who would’ve thunk they had made such progress!

    L, Bud

  6. 7ista users would be easily protected from attack by simply disconnecting the computer’s power cable. Until next month or so. (other attacks not included in this message.)

    Best wishes and good luck,

    Steve Ballmer

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.