Windows 7 Security Flaw Could Disable Computer

Microsoft is examining claims that a bug in Windows 7 could allow a hacker to remotely disable a computer. The news comes just as the firm urges users of previous editions of Windows to give priority to one particular patch in this month's security update.

The Windows 7 bug, reported by a security researcher who's posted what he claims to be code for exploiting the bug, involves the Server Message Block. That's a section of Windows used in networks for features such as file and printer sharing.

Bug Allows "Infinite Loop" Attack

Laurent Gaffie says that the bug could make it possible for a hacker to force the Windows 7 kernel into an infinite loop. (The kernel is effectively the controller of Windows and determines exactly what a computer can do at any time.) That wouldn't allow the hacker to access a user's data or install any software. However, it would mean that the computer would be rendered useless until it was restarted. This would make the bug a particularly useful tool for anyone wanting to cause damage to a company or organisation by tying up its resources.

The bug is also said to affect Windows Server 2008 R2. Gaffie told Microsoft about the issue before releasing the information and the software company has confirmed it is investigating and will issue a patch if necessary. (Source: computerworld.com)

Separate Kernel Bug Requires Immediate Patch

Meanwhile, users of earlier editions of Windows have been told to take particular care to install a security update listed as MS09-065 in this month's update. It blocks another loophole which also involves the kernel. With Vista it would again only allow the hacker to tie up the kernel (a "denial of service" attack), but with XP it could give them the ability to control the kernel's activity in more detail. (Source: microsoft.com)

The bug involves the Embedded Open Type system, which is used by some websites to display a typeface which users might not have, but in a way that prevents them from copying it to use themselves. One use for this would be for a design company that wants to show off its typographical work.

To activate the bug, the hacker would have to entice the victim to visit a rogue webpage with an infected font embedded on it -- for example, via a link in a bogus email.