Microsoft Confirms Windows Zero Day Vulnerability

Top 10 Security Stories Of 2010

Microsoft confirmed Wednesday that a previously unknown heap buffer overflow vulnerability can affect the browser service module in Windows.

The vulnerability was first disclosed on Monday, in a Valentine's Day gift to Microsoft, when a security researcher released details and proof-of-concept exploit code.

The server message block (SMB) vulnerability exists "inside an error-reporting function of the CIFS (common Internet file system) browser service module," said Matt Oh, a security researcher at Microsoft, in a blog post.

Microsoft didn't receive any advance notification of the vulnerability. "Luckily, the [proof of concept] was not fully weaponized -- that is, it was not designed to achieve remote code execution, just a denial of service -- although it has been reported as being a remote code execution vulnerability," said Oh.

Security vulnerability information service Vupen rates the bug as "critical," noting that it could be used to not just create a denial of service, but also to remotely run exploit code on a computer.

But despite Vupen's assessment, the bug may not be remotely exploitable. For starters, the security researcher who disclosed the flaw, Cupidon-3005 (French for cupid), rated the risk of remote exploitability as unlikely. Likewise, security researchers at Microsoft said they haven't been able to exploit the bug remotely. That's because the attack works by joining multiple strings of data, yet an attacker can't control where the data ends up, which makes injecting exploit code -- at least theoretically -- not possible.

"Our conclusion is that the part of the string that the attacker can control will always end up inside the allocated buffer, and the part the attacker can't control is in the part that overflows the buffer," said Oh. "As a result, we don't (yet) see how [remote code execution] can happen."

While the exploit likely only affects local network segments, "all versions of Windows are vulnerable, although the issue is more likely to affect server systems running as the Primary Domain Controller (PDC)," said Mark Wodrich, a security software engineer at Microsoft, in a blog post. "In environments following best practices, the browser protocol should be blocked at the edge firewalls, thus limiting attacks to the local network."

Blocking the browser protocol requires blocking or filtering UDP and TCP ports 138, 139, and 445.