Microsoft Corp. patched the first critical vulnerability in Windows 7 yesterday as it rolled out an update that fixes three flaws in the new operating system's kernel.
The MS09-006 update, which researchers tagged as the most serious of the three issued Tuesday and the one to patch first, includes a critical bug in the kernel's processing of input delivered by the graphical device interface (GDI), the core graphics rendering component of Windows.
According to Microsoft, the public beta of Windows 7, as well as previews of other editions of the OS, contain the three flaws fixed by MS09-006. “These vulnerabilities were reported after the release of Windows Server 2008 Service Pack 2 Beta, Windows Vista Service Pack 2 Beta, and Windows 7 Beta,” Microsoft said in the accompanying bulletin. “Customers running these platforms are encouraged to download and apply the update to their systems.”
All supported versions of Windows, ranging from Windows 2000 and XP to Vista and Server 2008, require patching. “It's in all versions of Windows; it's deep in the kernel and in GDI,” Wolfgang Kandek, chief technology officer at security company Qualys Inc., said in an interview yesterday.
Attackers could use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) images to exploit the bug in Windows 7, just as they could in other editions. Microsoft said the malicious images could be fed to users via e-mail, placed on Web sites or added to other documents. Simply viewing the images would trigger the vulnerability.
Computerworld has confirmed that machines running the public preview of Windows 7, which Microsoft offered for a month, from Jan. 10 to Feb. 12, are offered the MS09-006 security update.
This is not the first time that Microsoft has patched Windows 7. Just days after it delivered the beta, it fixed a flaw that shaved several seconds of audio from MP3 files. At the time, a Microsoft spokesman said that the only Windows 7 bugs the company would patch using Windows Update were those tagged “critical.”
“This tells us that Windows 7 is not only a cousin of Vista, but also a cousin of Windows 2000,” said Kandek today, referring to the fact that even the ancient Windows 2000 contains the kernel vulnerabilities. “Certain things in the kernel have obviously not changed in Windows 7.”
The Windows 7 security update can also be downloaded manually from Microsoft's site in versions for the 32-bit and 64-bit editions of the operating system.