Infinite loop bug can crash Windows

The in-house security team at Telia Telecom claim to have spotted a bug in all versions of Windows, which could be exploited as a security vulnerability and cause a machine to crash.

The security team said that the "URL infinite loophole" could be used to exhaust all system resources until a Windows system blue-screens or crashes.

Klaus Dhiim, of Telia Security Group, explained: "On the Windows OS it's fairly easy to create an internet shortcut, for obvious reasons. If however a self-referencing shortcut is set to point to itself, it will exhaust system resources."

The result is an infinite loophole that will DoS (denial of service) the system until it hangs. The bug can also be exploited using HTML-based email or by visiting a hostile homepage containing a specific URL, Dhiim said.

He added: "Since this could be exploited from a self-referencing URL placed on a public website, this is far more complex than Microsoft will admit. An attacker could perform DoS attacks against Windows-based mail clients or carry out email flooding."

But Microsoft spokesman Scott Culp denied the glitch is a security vulnerability. Although he acknowledged it could be used to crash a browser or even a machine, after a reboot the situation would not exist unless the user visited the same website again or reopened the malicious email.

"What you have found is a bug but not a security vulnerability. Our development team has already isolated the cause of the bug and developed a fix, which we'll include in the next service pack," he said.