Microsoft patches first critical bug in Windows 7 beta

Three kernel vulnerabilities also affect newest OS

Microsoft patched the first critical vulnerability in Windows 7 Tuesday as it rolled out an update that fixes three flaws in the new operating system's kernel.

The MS09-006 update, which researchers tagged as the most serious of the three issued Tuesday and the one to patch first, includes a critical bug in the kernel's processing of input delivered by the graphical device interface (GDI), the core graphics rendering component of Windows.

According to Microsoft, the public beta of Windows 7, as well as previews of other editions of the OS, contain the three flaws fixed by MS09-006. "These vulnerabilities were reported after the release of Windows Server 2008 Service Pack 2 Beta, Windows Vista Service Pack 2 Beta, and Windows 7 Beta," Microsoft said in the accompanying bulletin. "Customers running these platforms are encouraged to download and apply the update to their systems."

All supported versions of Windows, ranging from Windows 2000 and XP to Vista and Server 2008, require patching. "It's in all versions of Windows; it's deep in the kernel and in GDI," Wolfgang Kandek, chief technology officer at security company Qualys, said in an interview Tuesday.

Attackers could use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) images to exploit the bug in Windows 7, just as they could in other editions. Microsoft said the malicious images could be fed to users via e-mail, placed on Web sites or added to other documents. Simply viewing the images would trigger the vulnerability.

Computerworld has confirmed that machines running the public preview of Windows 7, which Microsoft offered for a month, from January 10 to February 12, are offered the MS09-006 security update.

This is not the first time that Microsoft has patched Windows 7. Just days after it delivered the beta, it fixed a flaw that shaved several seconds of audio from MP3 files. At the time, a Microsoft spokesman said that the only Windows 7 bugs the company would patch using Windows Update were those tagged "critical."

"This tells us that Windows 7 is not only a cousin of Vista, but also a cousin of Windows 2000," said Kandek Wednesday, referring to the fact that even the ancient Windows 2000 contains the kernel vulnerabilities. "Certain things in the kernel have obviously not changed in Windows 7."

The Windows 7 security update can also be downloaded manually from Microsoft's site in versions for the 32-bit and 64-bit editions of the operating system.

More about: Microsoft, Qualys, VIA
References show all

Comments

1

Anonymous

Thu 12/03/2009 - 18:54

It was only a matter of time I suppose. I probably won't upgrade anyway.

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Windows 7
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/22/cdex/

CDex

CDex can extract the data directly (digital) from an Audio CD, which is generally called a CD Ripper or a CDDA utility.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia