Microsoft operating system vulnerability claims refuted

Claims made of a major vulnerability in the Microsoft Windows operating system have been refuted.

Jan Fry, head of PCI at ProCheckUp Labs, claimed that the findings by 2X Software were a "little sensationalist".

Yesterday, 2X Software said that with a simple piece of code, an operating system from Windows 7/Server 2008 versions to Windows 2000/Server 2003 could be crashed with malicious applications installed.

But Fry refuted this, saying that the claims indicate that code needs to be run for the vulnerability to be exploited, so an attacker cannot just send some malicious traffic to a Microsoft server and crash it.

Fry said: "First scenario, someone is emailed a malicious application. They run it once and their machine crashes. This person is particularly stupid, so after rebooting, they run the executable again and once again the machine crashes. By now, even a potato would see the correlation and would stop running the executable.

"Second scenario, the malicious code is running as ActiveX on a malicious website. Once they visit the site, assuming they have ActiveX enabled, their machine gets restarted. I suppose this could be a legitimate threat but I hardly see it affecting 'tens of millions of devices'. The exploit is still very circumstantial.

Similar DoS exploits have been found on every flavour of browser. These have raised some concern but they are only really a genuine threat when they cause an exploitable overflow, which could, for example, be used to install a Trojan. There is no indication in the article that they have developed an exploitable overflow, so, at this stage, I don't see the threat."

Fry concluded by claiming that someone could probably write a batch file that simultaneously opens 100 Internet Explorer instances and cause an equally 'devastating' denial-of-service attack.


See original article on scmagazineus.com