Microsoft Windows 7: Serious Flaws In Unpatched 7

Microsoft Windows 7: Serious Flaws In Unpatched 7.

“A serious security vulnerability in Microsoft’s newest operating system could expose users to code execution and denial-of-service attacks,” according to Microsoft.  

In the meantime the company has begun to investigate the problems and has activated its “security response” process with promises of a patch once the investigations are complete.

I’m not much into the technical aspects of computing.  All I want is for my computer to function in a way that I can feel comfortable.  But, this early into the release of Windows 7 is disconcerting.  It reminds us of the time when Bill was demonstrating the latest version of Windows only to have the “blue screen of death” pop up on the huge TV for all the world to see.

According to the MSRC Blog:

“Code execution, while possible in theory, would be very difficult due to memory randomization both in kernel memory and via Address Space Layout Randomization (ASLR). Additionally, this vulnerability only affects Windows systems if they have the Aero theme installed; Aero is not switched on by default in Windows Server 2008 R2, nor does 2008 R2 include Aero-capable graphics drivers by default.”

The vulnerability, only affects Windows 7 and Windows Server 2008 R2.  The flaw was found in the Canonical Display Driver (cdd.dll), which is used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing. The company said there are are no reports of attacks attempting to exploit the flaw.

Is this vulnerability because of a “rush” to get a product out, or is the product easy to compromise?  Since they say that there are no records of a violation, was it wise to reveal the vulnerability?  Does this not open the door for professional hackers to dig into the code knowing that it can be easily compromised?

In the meantime, affected Windows 7 or Windows 2008 R2 users should consider disabling the Windows Aero Theme to prevent the issue from being exploited.

(additional information from Ryan Naraine)