The first service pack for Windows 7 and Windows Server 2008 is still over half a year away from finalization, but Microsoft is bound to start patching it soon enough. At the end of the past week, the software giant confirmed a Critical zero-day vulnerability affecting all supported editions of Windows client and server. At the same time, the Redmond company also points out that Windows 7 Service Pack 1 (SP1) Beta and Windows Server 2008 R2 SP1 Beta are also impacted by the 0-day security flaw, and that early adopters testing the two releases need to take the necessary measures to protect their machines against attacks.
In the FAQ associated with Security Advisory (2286198), the Redmond company asks “How are the Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 Beta releases affected by this vulnerability?” only to answer “Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 Beta are affected by the vulnerability. Customers running these beta releases are encouraged to apply the workarounds described in this advisory.”
According to Microsoft, the newly discovered Windows Shell vulnerability is related to the manner in which Windows parses shortcuts. Malicious code can potentially be executed when an icon of a specially crafted malformed shortcut is displayed in Windows Explorer, as Windows will incorrectly parse such objects. Dave Forstrom, Director of Marketing Communications, Integrated Communications & Response, Microsoft Trustworthy Computing warned that Microsoft has already detected attacks in the wild involving removable drives.
Customers running Windows 7 enjoy an extra mitigation against these types of attacks because the AutoPlay functionality for removable media is switched off by default in the operating system. “The Windows Shell vulnerability is operating in conjunction with the Stuxnet malware,” Forstrom explained.
“Microsoft recommends that customers follow the guidance provided in the Security Advisory, where they can find suggested mitigations and tested workarounds. Microsoft will continue to investigate the issue vulnerability and, upon completion of that investigation, we will take appropriate action to protect customers,” he added in a message to Pctipsbox.
Windows 7 SP1 Beta was released to the public for testing earlier this month. While Microsoft doesn’t usually offer updates for pre-release software, it does make exceptions for Critical vulnerabilities. In this regard, it is to be expected from the company to release a patch for the Windows Shell flaw in Windows 7 SP1 Beta, along with the security updates for older versions of Windows, including Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows XP and Windows Server 2003.
Windows 7 Service Pack 1 (SP1) Beta and Windows Server 2008 R2 Service Pack 1 (SP1) Beta are available for download here.