Germany's Federal Officie for Information Security (BSI) found a "high" risk vulnerability, unfixed in Windows 7 and issued a short advisory on the 6th of October. Microsoft seems to ignore them.
The FSFE press release from monday [1] included a English translation of the relevant BSI short advisory - which has not been updated up to now. This way we have enabled our English speaking community to inform customers that the box of Windows 7 they are going to buy these days, has a problem if they want to use the SMB2 to share files or printers over the network. And that Microsoft just keeps silent on this "high" risk issue from an official German Federal CERT team.
This SMB2 vulnerability has yet not been reported about in English before. To my best knowledge FSFE provided the first public translation. (Do not mix this up with other SMB2 vulnerabilities, which there were a few lately.)
As BSI is known to contact the vendors early, we can savely assume that Microsoft has all infos to reproduce the problem, quite likely even before the 6th of October. So why would Microsoft be silent about it, as they are now? If this is a nothing, they could say so or they could warn all of their users right away if it turns out to an issue.
Note that this is a Denial of Service vulnerability which of course we cannot fully reproduce and evaluate ourselfs. (A reason why FSFE asks the BSI in the press release to do full disclosure on this special occasion, given the track record of the vendor.) BSI has 5 security levels and "high" corresponds to the fourth, one lower than "very high". So this is not the worst security problem in the world - I still find it notable how it is treated in light of the starting sale.
And yes, security problems exist with all software and vendors, including GNU/Linux distributions and other Free Software. Also everybody has the update problem and responsible system administration remains the most important factor. But does this make it okay to deliverately ship a broken product without warning? Even if this is just broken in one out of several functions and there are a duct tape methods to fix it? Again this shows the underlying structural issue known to Free Software people for a long time: Without the freedom to anyone except the vendor to fix the issue?
Why should this be of concern to a Free Software person like me? Beside the point that we are all network neighbours - many computer users just shrugg and accept a bad job by vendors or bad quality in software. Alternatives to the main proprietary vendor are often too less known.
If we want more people to try Free Software and change the overall situation in the long run, we need to change this mindset and point out if something goes seriously wrong. Even if Free Software cannot make it magically right. It is a long term concern to fund the right structures which are good for vendors that treat users fairly.
Best Regards, Bernhard
[1] http://fsfe.org/news/2009/news-20091019-01.en.html