Microsoft says zero-day flaw not exploitable remotely

Microsoft this week confirmed the existence of an unpatched vulnerability affecting all versions of Windows, but said it is unlikely the flaw could be exploited remotely.

Details of the vulnerability – and proof of concept (PoC) code showing how to exploit it – were released Monday by an anonymous researcher identified only as “Cupidon-3005” on the Full Disclosure Mailing List, a forum for the disclosure of security issues. The Windows Server Message Block (SMB) vulnerability affects an error-reporting function of the Common Internet File Service browser service module, Matt Oh, a security researcher at Microsoft wrote in a blog post Wednesday. The SMB protocol provides network file-sharing capabilities to Windows machines.

All versions of Windows are vulnerable and there is currently no patch available.  

Researchers at Vupen, a French IT security research company, labeled the flaw “critical” – the highest threat level – and said it could be exploited by remote attackers or malicious users to cause a denial of service or to take complete control of an affected system. Microsoft, however, has downplayed the severity of the flaw.

“While RCE [remote code execution] is theoretically possible, we feel it is not likely in practice,” Mark Wodrich, a security software engineer in the Microsoft Security Response Center engineering team, wrote in a blog post Wednesday. “DoS [denial of service] is much more likely.”

Danish security firm Secunia, meanwhile, labeled the flaw “moderately critical,” or a three out of five in its severity rating scale, also noting that it may allow for the execution of arbitrary code.

The vulnerability can be exploited to cause a buffer overflow via an overly long Server Name string sent in a specially crafted Browser Election Request packet, according to Secunia.

The vulnerability was disclosed to Microsoft without prior notification, the software giant said.

“Luckily, the PoC was not fully weaponized (that is, it was not designed to achieve remote code execution and just a denial of service),” Oh wrote in the blog post.