Microsoft issued an advisory Friday warning users of a serious denial-of-service (DoS) vulnerability in the protocol that handles messages between devices on a network for its newest Windows 7 operating system.
The flaw, found in the Server Message Block (SMB), could allow a denial of service and crash a Windows 7 machine if exploited by an attacker. The Windows 7 DoS vulnerability could be exploited if a victim visits a malicious website.
"While we are not currently aware of active attacks, we continue to recommend customers review the mitigations and workarounds detailed in the security advisory to protect themselves as we work to develop a comprehensive security update," Mike Reavey, group manager at the Microsoft Security Response Center wrote in the MSRC blog.
Reavey said Microsoft engineers are working on an update to correct the Windows 7 DoS error. Disabling SMBv2 is not an effective workaround. According to a report issued by the SANS Institute, the flaw affects both SMBv1 and SMBv2.
The Microsoft security advisory urges customers to halt all SMB communications to and from the Internet by blocking TCP ports 139 and 445 at the firewall. The Windows 7 DoS workaround could cause some applications and services to fail, Microsoft said, but it would block any Web-based attacks from taking place.
To exploit the flaw, Microsoft said an attacker could force an SMB connection to an SMB server controlled by the attacker. The connection would then send a malicious SMB response to the victim's machine causing the Windows 7 system to freeze. A Web-based attack can be carried out if the victim is using any standard browser.
The DoS vulnerability affects Windows 7 32-bit and 64-based systems as well as Windows Server 2008 R2 on 64-based and Itanium-based systems. The United States Computer Emergency Readiness Team warned users and administrators Monday to review the Microsoft security advisory and enable the workaround.
It is the second security flaw to affect the fully released version of Windows 7. Microsoft issued a security update in October addressing ActiveX control issues in Windows 7 as a result of components built using a flawed version of Microsoft Active Template Library.