Security Watch

Windows 7 Gets Its First Bug

Plus: hackers try to bypass Windows 7's WAT; Internet Explorer attack can hurt the kernel.

• By Jabulani Leffall
• 11/17/2009

In an inauspicious beginning to the week, the first zero-day bug for Windows 7 has emerged.

The bug touches on Microsoft's Server Message Block (SMB) program -- specifically, SMBv1 and SMBv2 on Windows 7 and Windows Server 2008 R2. Microsoft has issued a security advisory describing workarounds, but says most users would be protected from attacks by blocking two ports at the firewall.

This isn't the first time SMB issues have popped up. In the last three months, there've been instances of exploits affecting the program through different attack vectors, with different implications.

This latest exploit is of the denial-of-service variety and, if effective, would deny a user or administrator entry, or change or delete access into the program.

Windows 7 Without WAT?
According to the blog My Digital Life, hackers have been trying to figure out how to bypass Windows Activation Technologies (WAT) in Windows 7.

WAT is the activation requirement for an installed Windows 7 system, conceived by Microsoft's anti-piracy team as a means to curtail rogue installations of the OS on unlicensed PCs.

Now, My Digital Life and other sites are reporting that so-called bypass commands such as "RemoveWAT" and "ChewWGA" are spreading on the Internet and could help users install Windows 7 without a product key.

Of course, the main drawback of such an installation -- other than it being illegal -- is that hackers can use corrupt instances of Windows 7 to build code across network bridges and also create a veil of anonymity.

Microsoft said as much in an e-mail statement, saying that such instances of Windows 7 could "contain malware." The software giant also claimed to be "aware of this workaround and [is] already working to address it."

The Kernel Is the Key
Security gadflies like Jason Miller of Shavlik Technologies and H.D. Moore, creator of the popular open source exploit clearinghouse Metasploit and now chief security officer of Rapid7, think proof-of-concept code may be in the works to attack the Windows kernel, the operative heart of the OS.

That's why experts are keeping their eyes on Embedded OpenType (EOT) fonts, the focal point of a recently patched critical vulnerability in this month's Patch Tuesday slate. Hackers can use EOT fonts on Internet Explorer pages, potentially tricking users into clicking on them and thus triggering exploit code.

Microsoft said in a security bulletin that "the most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font."

Conventional wisdom has hackers moving toward attacking applications, preferring to enter a network that way instead of through more sturdy OSes. But IE is an application that thinks and sometimes acts like an OS, and with the growth of browser-borne enterprise projects, an attack on IE can lead directly to the kernel.

In an e-mailed statement regarding last week's patch release, Shavlik's Miller said an exploit would hit the wild "sooner than later." And for his part, Rapid7's Moore said he was actually testing potential proofs-of-concept -- or, to use his words, "working on ways to test the critical flaw against the MS patch."