In association with heise online

17 October 2009, 15:19

Microsoft has known of the SMB2 hole for some time

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

It appears that Microsoft was aware of the SMB2 security hole in Vista and Server 2008 (patched on the recent Patch Tuesday) even before an independent security expert discovered and publicised it in early September. This became evident when Security Development Lifecycle expert Michael Howard said on Microsoft's SDL blog yesterday (Thursday) that the same bug was found "very late in the Windows 7 development process" and that it was, therefore, already fixed in the final version of Windows 7.

It seems that Howard only intended to explain why the first public bug report in September said that Windows 7 was affected by the network stack hole, although it then turned out very quickly that the hole only affected the release candidates. However, as Windows 7 Final has been available to download since the beginning of August, Microsoft must have known of the bug at least since July. Metasploit developer HD Moore provocatively enquired on Twitter: "So why didn't they back port (the patch) to Vista/2008?" Fuzzing expert Charlie Miller replied promptly: "They must have thought no-one would find it, oops."

While we can only speculate about the real background story, the incident confirms the theory that Microsoft initially puts internally discovered programming bugs on a secret list, intending to fix them at low priority while the public is unaware of them, regardless of their threat level. Security updates tend to involve comprehensive testing, because potential problems on millions of deployed systems can be difficult to predict. For products that are still in development or haven't officially been released, like Windows 7, such testing is much less involved. In addition, software vendors often tend to quietly close security holes discovered in-house, to avoid negative publicity.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit