Microsoft ignores German Federal IT security finding, exposing consumer to "high" risk in windows 7
Bernhard Reiter
reiter at fsfeurope.org
Fri Oct 23 09:27:11 UTC 2009
Germany's Federal Officie for Information Security (BSI)
found a "high" risk vulnerability, unfixed in Windows 7
and issued a short advisory on the 6th of October.
Microsoft seems to ignore them.
The FSFE press release from monday [1] included a English translation
of the relevant BSI short advisory - which has not been updated up to now.
This way we have enabled our English speaking community to inform customers
that the box of Windows 7 they are going to buy these days, has a problem if
they want to use the SMB2 to share files or printers over the network. And
that Microsoft just keeps silent on this "high" risk issue from an official
German Federal CERT team.
This SMB2 vulnerability has yet not been reported about in English before.
To my best knowledge FSFE provided the first public translation.
(Do not mix this up with other SMB2 vulnerabilities,
which there were a few lately.)
As BSI is known to contact the vendors early, we can savely
assume that Microsoft has all infos to reproduce the problem,
quite likely even before the 6th of October.
So why would Microsoft be silent about it, as they are now?
If this is a nothing, they could say so
or they could warn all of their users right away if it turns out to an issue.
Note that this is a Denial of Service vulnerability which of course we cannot
fully reproduce and evaluate ourselfs. (A reason why FSFE asks the BSI
in the press release to do full disclosure on this special occasion, given the
track record of the vendor.) BSI has 5 security levels and "high" corresponds
to the fourth, one lower than "very high". So this is not the worst security
problem in the world - I still find it notable how it is treated in light of
the starting sale.
And yes, security problems exist with all software and vendors, including
GNU/Linux distributions and other Free Software. Also everybody has the
update problem and responsible system administration remains the most
important factor. But does this make it okay to deliverately ship a broken
product without warning? Even if this is just broken in one out of several
functions and there are a duct tape methods to fix it? Again this shows the
underlying structural issue known to Free Software people for a long time:
Without the freedom to anyone except the vendor to fix the issue?
Why should this be of concern to a Free Software person like me?
Beside the point that we are all network neighbours -
many computer users just shrugg and accept a bad job by vendors
or bad quality in software. Alternatives to the main proprietary
vendor are often too less known.
If we want more people to try Free Software and change the overall situation
in the long run, we need to change this mindset and point out if something
goes seriously wrong. Even if Free Software cannot make it magically right.
It is a long term concern to fund the right structures which are good for
vendors that treat users fairly.
Best Regards,
Bernhard
[1] http://fsfe.org/news/2009/news-20091019-01.en.html
--
FSFE -- Deputy Coordinator Germany (fsfeurope.org)
Your donation makes our work possible: www.fsfeurope.org/help/donate.en.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20091023/f22340fd/attachment.sig>
More information about the Discussion
mailing list