Windows 7 security default worries experts | Tech News on ZDNet

Corporate IT departments should be pleased with new security measures in Windows 7, but consumers are still at risk of getting hit by malware despite changes in the User Account Control (UAC) feature designed to help people be smarter when using applications, security experts say. More »

Microsoft: Windows 7 not affected by latest flaw | Tech News on ZDNet

Microsoft issued a formal security advisory late Tuesday on a reported zero-day flaw in Windows Vista and Windows Server 2008. However, the software maker also said that the flaw does not affect the final version of Windows 7, contrary to earlier reports. More »

Windows 7 UAC code-injection vulnerability: video demonstration, source code released – istartedsomething

Long demonstrates a vulnerability in Windows 7 UAC and asks Microsoft to make users aware of it. More »

KB970789

In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.

For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:

Access is denied.

Furthermore, the missing security descriptor entries protect non-admin file operations directly under the root.

KB958690

This security update resolves several privately reported vulnerabilities in the Windows kernel. The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system. The security update addresses the vulnerabilities by validating input passed from user mode through the kernel component of GDI, correcting the way that the kernel validates handles, and changing the way that the Windows kernel handles specially crafted invalid pointers.

KB961260

This security update resolves two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles the error resulting in the exploitable condition.

Note that the Security Bulletin lists this update as Critical for Internet Explorer 7 in Windows Vista. It makes no mention of Internet Explorer 8, or of Windows 7 Beta, so it is unclear what the severity of this vulnerability is with IE8 on Windows 7 Beta.

• Uninitialized Memory Corruption Vulnerability – CVE-2009-0075
• CSS Memory Corruption Vulnerability – CVE-2009-0076

» Microsoft’s worst nightmare: Windows 7 deemed less secure than Vista | All about Microsoft | ZDNet.com

Windows 7 is getting great reviews, but this could slow that positive vibe. Less secure than Vista could be how people start to perceive Windows 7. More »

Second Windows 7 beta UAC security flaw: malware can silently self-elevate with default UAC policy – istartedsomething

A second ‘flaw’ is now found with UAC. Microsoft may be fixing this one, but has not responded so far. More »

Sacrificing security for usability: UAC security flaw in Windows 7 beta (with proof of concept code) – istartedsomething

Microsoft’s changes to UAC leave it terribly vulnerable, and Long displays how with a simple program you can run. Thankfully, he gives a suggestion on how you can avoid the problem, and how Microsoft can fix the hole without to much hassle. More »

The Microsoft Security Response Center (MSRC) : January 2009 Monthly Bulletin Release

Windows 7 is affected by the SMB Validation Denial of Service Vulnerability (CVE-2008-4114) and would be rated as Moderate because the vulnerability would require authentication for any attack to succeed. Microsoft provides security updates for beta versions of Windows through Windows Update for Critical issues only. So the SMB Validation Denial of Service Vulnerability (CVE-2008-4114) will be addressed in the next public release for Windows 7. More »