Windows 7 will be officially released on October 22, but for a while now, large companies with huge volume packages have had it since summer. It has also been available through sources such as Microsoft Developer Network (or Microsoft Developer Network Academic Alliance for students – see my previous post). The code was finalized with the Release to Manufacturing (RTM) version in July.

That it has not actually been released yet does not mean that major security holes are not still being found. In fact, this past Tuesday, a week and a half before the official October 22 release date, Microsoft has released one of the largest set of patches and security bulletins ever, making up 13 bulletins for 34 vulnerabilities, including the first Windows 7 critical update (the ones that automatically download and install on all but the most confined Windows systems).

These patches span the gamut of software included by default on windows, including patches for SMB (Server Message Block) allowing remote code execution as well as a hole in Windows Media Runtime when playing malicious media (even streaming in the browser). They also include ActiveX and the Graphics Device Interface.

Most of the holes patched were not previously disclosed, which meant that hackers could have come up with "zero day" exploits (working exploits before the problem is disclosed) and attacked people who were completely unprepared (etc. to watch out for all windows media streaming content). There had also been a fair number of patches for exploits that had already been released into the wild.

While this may seem a bit extreme, it is actually quite common for programs as large as operating systems, especially when they have as much code rewrite as Windows 7 and are this early in their lifecycle. This is one of the reasons that I will never depend on a brand new operating system for my main computing – they are not yet fully tested (companies like to use their first customers as beta testers to find bugs, upon which they can patch them with updates).