Security researcher Laurent Gaffié called Microsoft on the carpet for its Secure Development Lifecycle (SDL) process on Wednesday. Gaffié also published proof-of-concept exploit code that he says will crash both Windows 7 and Windows Server 2008 R2.

"This bug is a real proof that SDL #FAIL," Gaffié wrote in his blog post. "The bug is so noob, it should have been spotted two years ago by the SDL if the SDL had ever existed."

The SMB Flaw

At the core of the vulnerability is the SMB (Server Message Block) protocol, the foundation of Windows file sharing. According to Gaffié, the bug triggers an infinite loop on SMB and can be triggered remotely via Internet Explorer. Gaffié notified Microsoft on Nov. 8 before releasing his proof of exploit on Nov. 11.

When Microsoft released Windows 7 to manufacturing, rumors were rampant about a showstopper bug that could threaten the success of the all-important Vista successor. At that time, technology researchers claimed to have found a bug in the new operating system that causes a massive memory leak and could cause the company to delay the final release. But Microsoft was not able to reproduce the crash.

Other than that, security issues have been nonexistent -- until now. Although Microsoft did have issues with the SMB in the past, security researchers have noted that the SMB vulnerability was difficult to exploit with default firewall conditions. There is a workaround: Blocking ports 135, 139 and 445 on the router or firewall to prevent outside SMB traffic from getting into a system.

Bragging Against Microsoft

Chet Wisniewski, a senior security adviser at Sophos, isn't surprised to see an exploit in Windows 7 so soon after its release. That, he said, is because the Windows code was finalized very early this summer.

"Attackers have had plenty of time to look for holes," Wisniewski said. "This particular flaw was not too difficult to discover, leading the attacker to brag about how stupid it was for Microsoft to have missed it."

At this point, there's no grave danger for Windows 7 users. As Gaffié noted in his disclosure, exploiting the vulnerability can crash a host. That translates to rebooting the computer. Wisniewski noted that the zero-day vulnerability is not in worm form as of yet, and only applies to Windows 7 and Windows 2008 R2. That means it's simply a denial of service at this point.

Will Microsoft issue an out-of-cycle patch? Not unless someone tries to use this to cause a lot of people to complain, Wisniewski said. "The only real way to use it is to spam out a UNC path and trick users into connecting to it," he explained. "It is unlikely, being that no data is lost, and it requires the user to take an action to be affected."

Wisniewski said the author's aggression toward Microsoft is interesting, but aside from that this is simply another everyday denial-of-service vulnerability in Windows.