In December 2007, Microsoft patched the file- and printer-sharing functionality in Windows Vista to fix a medium-severity vulnerability. Unfortunately, the company inadvertently added a critical flaw, a security researcher said on Friday.
In an e-mail interview with SecurityFocus, Laurent Gaffié -- the researcher that disclosed a critical flaw in Microsoft's Server Message Block (SMB) version 2 code earlier this week -- said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft.
"The only thing I know regarding this 'patching' process is, when they fixed this code, they opened another bigger, worse security issue," Gaffié said in the e-mail interview.
Microsoft denied the claim in a statement issued to SecurityFocus on Friday.
"We researched this claim by the researcher and confirmed this vulnerability was not introduced by MS07-063," Christopher Budd, security response communications lead for Microsoft, said in a statement.
On Monday, Gaffié posted some details of the flaw to his blog. He labeled the issue a crash bug, a problem frequently referred to as the "Blue Screen of Death," or BSOD, because Windows displays a blue screen with an error message when it crashes. Microsoft acknowledged the vulnerability and also confirmed other researchers' reports that the issue could allow a system to be compromised by an attacker.
Security firms warned that the issue could be used as a propagation vector by a network worm.
The vulnerability affects Windows Vista, pre-R2 versions of Windows Server 2008, and earlier versions of Windows 7, Microsoft's soon-to-be-released operating system. The version of Windows 7 released to manufacturers does not have the flaw, Microsoft said in its advisory.
Microsoft created its Trustworthy Computing Initiative to catch just this sort of issue. As part of the initiative, the company created its Secure Development Lifecycle, a method of creating software that exposes code to continuous review in hopes of eliminating software vulnerabilities before they affect Microsoft customers. Windows Vista is the first Microsoft operating system to be completely developed under the auspices of the program.
UPDATE: This article was updated with a comment from Microsoft denying the researcher's claims.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos