Windows crash vulnerability could catch millions of PCs and servers

1 min read

Stand by for a new wave of denial of service attacks, thanks to a 10-year old operating system flaw, thought to be one of the biggest security vulnerabilities in the Windows OS for many years.

Virtual computing firm 2X Software identified the problem, and Paul Gafa, the company's CTO, says that any PCs or servers running anything from the latest Windows 7/Server 2008 versions down to Windows 2000/Server 2003 could be affected. They can be crashed just by running just a few lines of code, he says, and confirms that Microsoft has already been informed. The code needed to crash the system is very easy to develop and perfectly legal, with no tricks or unusual techniques required, he adds. However, it can easily be used inside malicious applications to generate an attack – although the problem can easily be corrected within the operating system code by validating the arguments passed to the API. "This is a major problem with potentially tens of millions of devices at risk. Such a vulnerability leaves users open to Denial of Service attacks, which can be devastating. Imagine your company servers and PCs being restarted remotely every few minutes. "As it affects all the latest versions of the operating system, I expect Microsoft to patch it very quickly." For now, users are at greatest risk when running an application, script, or Active X control. As with all malicious code, the best way to avoid problems is not to run any applications from unknown sources, avoid websites of unreliable content, configure your web browser to the safest settings, and arm yourself with an updating virus scanner.