Microsoft says zero-day flaw not exploitable remotely

Share this article:

Microsoft this week confirmed the existence of an unpatched vulnerability affecting all versions of Windows, but said it is unlikely the flaw could be exploited remotely.

Details of the vulnerability – and proof of concept (PoC) code showing how to exploit it – were released Monday by an anonymous researcher identified only as “Cupidon-3005” on the Full Disclosure Mailing List, a forum for the disclosure of security issues. The Windows Server Message Block (SMB) vulnerability affects an error-reporting function of the Common Internet File Service browser service module, Matt Oh, a security researcher at Microsoft wrote in a blog post Wednesday. The SMB protocol provides network file-sharing capabilities to Windows machines.

All versions of Windows are vulnerable and there is currently no patch available.  

Researchers at Vupen, a French IT security research company, labeled the flaw “critical” – the highest threat level – and said it could be exploited by remote attackers or malicious users to cause a denial of service or to take complete control of an affected system. Microsoft, however, has downplayed the severity of the flaw.

“While RCE [remote code execution] is theoretically possible, we feel it is not likely in practice,” Mark Wodrich, a security software engineer in the Microsoft Security Response Center engineering team, wrote in a blog post Wednesday. “DoS [denial of service] is much more likely.”

Danish security firm Secunia, meanwhile, labeled the flaw “moderately critical,” or a three out of five in its severity rating scale, also noting that it may allow for the execution of arbitrary code.

The vulnerability can be exploited to cause a buffer overflow via an overly long Server Name string sent in a specially crafted Browser Election Request packet, according to Secunia.

The vulnerability was disclosed to Microsoft without prior notification, the software giant said.

“Luckily, the PoC was not fully weaponized (that is, it was not designed to achieve remote code execution and just a denial of service),” Oh wrote in the blog post.

While waiting for a fix from Microsoft, users can block or filter UDP and TCP ports 138, 139 and 445, Vupen suggested.
Share this article:

Sign up to our newsletters

More in News

Leahy bill would end bulk data collection, introduce reforms

Leahy bill would end bulk data collection, introduce ...

Sen. Patrick Leahy introduced an NSA reform bill that would update the USA Freedom Act.

House passes two cyber security bills

One bill aims to improve agencies' website security, while another works to thwart critical infrastructure attacks.

A five-month-long Tor attack attempting to 'deanonymize' users

For roughly five months beginning in January, traffic confirmation attacks were used to attempt to "deanonymize" Tor users.