Microsoft Confirms Windows Zero Day VulnerabilityMicrosoft Confirms Windows Zero Day Vulnerability
Proof of concept code released for attack that uses malformed requests to crash any version of Windows, though remote execution appears unlikely.
February 17, 2011
Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
Microsoft confirmed Wednesday that a previously unknown heap buffer overflow vulnerability can affect the browser service module in Windows.
The vulnerability was first disclosed on Monday, in a Valentine's Day gift to Microsoft, when a security researcher released details and proof-of-concept exploit code.
The server message block (SMB) vulnerability exists "inside an error-reporting function of the CIFS (common Internet file system) browser service module," said Matt Oh, a security researcher at Microsoft, in a blog post.
Microsoft didn't receive any advance notification of the vulnerability. "Luckily, the [proof of concept] was not fully weaponized -- that is, it was not designed to achieve remote code execution, just a denial of service -- although it has been reported as being a remote code execution vulnerability," said Oh.
Security vulnerability information service Vupen rates the bug as "critical," noting that it could be used to not just create a denial of service, but also to remotely run exploit code on a computer.
But despite Vupen's assessment, the bug may not be remotely exploitable. For starters, the security researcher who disclosed the flaw, Cupidon-3005 (French for cupid), rated the risk of remote exploitability as unlikely. Likewise, security researchers at Microsoft said they haven't been able to exploit the bug remotely. That's because the attack works by joining multiple strings of data, yet an attacker can't control where the data ends up, which makes injecting exploit code -- at least theoretically -- not possible.
"Our conclusion is that the part of the string that the attacker can control will always end up inside the allocated buffer, and the part the attacker can't control is in the part that overflows the buffer," said Oh. "As a result, we don't (yet) see how [remote code execution] can happen."
While the exploit likely only affects local network segments, "all versions of Windows are vulnerable, although the issue is more likely to affect server systems running as the Primary Domain Controller (PDC)," said Mark Wodrich, a security software engineer at Microsoft, in a blog post. "In environments following best practices, the browser protocol should be blocked at the edge firewalls, thus limiting attacks to the local network."
Blocking the browser protocol requires blocking or filtering UDP and TCP ports 138, 139, and 445.
About the Author(s)
Tricks to Boost Your Threat Hunting GameNov 06, 2023
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
2021 Banking and Financial Services Industry Cyber Threat Landscape Report
5 Reasons To Move your PKI Deployment to the Cloud