| By Robert Vamosi |
A vulnerability making Windows 7 and Windows Server 2008 R2 susceptible to a Web-based attack went uncorrected in this week’s Patch Tuesday releases.
A fix for the same glitch in Vista and Windows Server 2008 appeared in October, but it’s not known when a Win7 patch can be expected.
Disagreement on the extent of SMB vulnerability
Missing from the list of fixes released this month by Microsoft is one for a critical flaw in Server Message Block 2.0 that affects Windows 7 and Server 2008 R2. The company’s non-action is explained in MS security advisory 977544.
According to researchers, the SMB hole could be exploited via a compromised computer on your local network. More ominous, however, is the possibility of an attack from an infected Web page, as explained by Tony Bradley of PC World on Nov. 16.
In September, researcher Laurent Gaffié discovered and reported a Negotiate Protocol Request flaw in SMB 2 that, he claimed, affected Vista, Windows 7, and Windows Server 2008. Microsoft countered that the vulnerability did not pose a threat to Windows 7 users.
When the software giant patched the flaw in MS09-050, the fix applied only to Vista and certain versions of Windows Server 2008 but not to Win7 or Server 2008 R2.