Microsoft ignores German Federal IT security finding, exposing consumer to "high" risk in windows 7

Fri Oct 23 09:27:11 UTC 2009

Germany's Federal Officie for Information Security (BSI) 
found a "high" risk vulnerability, unfixed in Windows 7 
and issued a short advisory on the 6th of October. 
Microsoft seems to ignore them.

The FSFE press release from monday [1] included a English translation 
of the relevant BSI short advisory - which has not been updated up to now.
This way we have enabled our English speaking community to inform customers
that the box of Windows 7 they are going to buy these days, has a problem if 
they want to use the SMB2 to share files or printers over the network. And 
that Microsoft just keeps silent on this "high" risk issue from an official 
German Federal CERT team.

This SMB2 vulnerability has yet not been reported about in English before. 
To my best knowledge FSFE provided the first public translation. 
(Do not mix this up with other SMB2 vulnerabilities, 
which there were a few lately.)

As BSI is known to contact the vendors early, we can savely 
assume that Microsoft has all infos to reproduce the problem, 
quite likely even before the 6th of October. 
So why would Microsoft be silent about it, as they are now?
If this is a nothing, they could say so 
or they could warn all of their users right away if it turns out to an issue.

Note that this is a Denial of Service vulnerability which of course we cannot 
fully reproduce and evaluate ourselfs. (A reason why FSFE asks the BSI
in the press release to do full disclosure on this special occasion, given the 
track record of the vendor.) BSI has 5 security levels and "high" corresponds 
to the fourth, one lower than "very high". So this is not the worst security 
problem in the world - I still find it notable how it is treated in light of 
the starting sale.

And yes, security problems exist with all software and vendors, including 
GNU/Linux distributions and other Free Software. Also everybody has the 
update problem and responsible system administration remains the most 
important factor. But does this make it okay to deliverately ship a broken 
product without warning? Even if this is just broken in one out of several 
functions and there are a duct tape methods to fix it? Again this shows the 
underlying structural issue known to Free Software people for a long time: 
Without the freedom to anyone except the vendor to fix the issue?

Why should this be of concern to a Free Software person like me?
Beside the point that we are all network neighbours -
many computer users just shrugg and accept a bad job by vendors
or bad quality in software. Alternatives to the main proprietary
vendor are often too less known.

If we want more people to try Free Software and change the overall situation
in the long run,  we need to change this mindset and point out if something
goes seriously wrong. Even if Free Software cannot make it magically right.
It is a long term concern to fund the right structures which are good for 
vendors that treat users fairly.

Best Regards,
Bernhard

[1] http://fsfe.org/news/2009/news-20091019-01.en.html

-- 
FSFE -- Deputy Coordinator Germany                            (fsfeurope.org)
Your donation makes our work possible:  www.fsfeurope.org/help/donate.en.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20091023/f22340fd/attachment.sig>