Microsoft Windows operating systems can be crashed just by running simple code.
In a major long-standing vulnerability in the Windows operating system, identified by 2X Software, it could affect PCs and servers running anything from the latest Windows 7/Server 2008 versions to Windows 2000/Server 2003.
The flaw was discovered by 2X Software's testing tools that resulted in a blue screen and system reboot. It claimed that the code needed to crash the system is very easy to develop and perfectly legal, with no ‘tricks' or unusual techniques being required.
With just a few lines of code an application can be created that will crash the whole Windows system and the flaw can be easily used inside malicious applications to generate a denial-of-service (DoS) attack. The problem can be easily corrected within the OS code by validating the arguments passed to the API.
It said that as the vulnerability appears to have been introduced during the development of the Windows 2000 Operating System (as Windows NT 4.0 is unaffected), it is around ten years old. It is also present on 64-bit versions of the operating system (having tested Windows 2008).
Configuring the user as a limited one without administrator rights has no effect and the problem still persists.
However as the crash vulnerability needs code to run, users are at risk when running an application, script or active-x control. It recommended not running any applications from unknown sources, avoiding websites of unreliable content, configuring your web browser to the safest settings and arming yourself with an updated virus scanner.
Also, businesses running thin client architecture that use other operating systems are unaffected; however the Windows-based server side will have the same crash vulnerability.
Paul Gafa, CTO of 2X Software, said: “This is a major problem with potentially tens of millions of devices at risk. Such a vulnerability leaves users open to DoS attacks, which can be devastating – imagine your company servers and PCs being restarted remotely every few minutes.
“As it affects all the latest versions of the operating system, I expect Microsoft to patch it very quickly. They have already been informed.”