Microsoft says zero-day flaw not exploitable remotely

Share this article:

Microsoft this week confirmed the existence of an unpatched vulnerability affecting all versions of Windows, but said it is unlikely the flaw could be exploited remotely.

Details of the vulnerability – and proof of concept (PoC) code showing how to exploit it – were released Monday by an anonymous researcher identified only as “Cupidon-3005” on the Full Disclosure Mailing List, a forum for the disclosure of security issues. The Windows Server Message Block (SMB) vulnerability affects an error-reporting function of the Common Internet File Service browser service module, Matt Oh, a security researcher at Microsoft wrote in a blog post Wednesday. The SMB protocol provides network file-sharing capabilities to Windows machines.

All versions of Windows are vulnerable and there is currently no patch available.  

Researchers at Vupen, a French IT security research company, labeled the flaw “critical” – the highest threat level – and said it could be exploited by remote attackers or malicious users to cause a denial of service or to take complete control of an affected system. Microsoft, however, has downplayed the severity of the flaw.

“While RCE [remote code execution] is theoretically possible, we feel it is not likely in practice,” Mark Wodrich, a security software engineer in the Microsoft Security Response Center engineering team, wrote in a blog post Wednesday. “DoS [denial of service] is much more likely.”

Danish security firm Secunia, meanwhile, labeled the flaw “moderately critical,” or a three out of five in its severity rating scale, also noting that it may allow for the execution of arbitrary code.

The vulnerability can be exploited to cause a buffer overflow via an overly long Server Name string sent in a specially crafted Browser Election Request packet, according to Secunia.

The vulnerability was disclosed to Microsoft without prior notification, the software giant said.

“Luckily, the PoC was not fully weaponized (that is, it was not designed to achieve remote code execution and just a denial of service),” Oh wrote in the blog post.

While waiting for a fix from Microsoft, users can block or filter UDP and TCP ports 138, 139 and 445, Vupen suggested.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Popular Science served up Rig Exploit Kit on its website

The monthly science magazine served up malicious code to readers earlier this week and has remedied the issue.

Deloitte releases paper on vetting leaks, avoiding costly hoax

Deloitte releases paper on vetting leaks, avoiding costly ...

The research presents techniques for distinguishing legit data leaks from false claims.

Attack on White House systems breached unclassified networks

The White House experienced a sustained cyberattack on its systems that impacted its network for nearly two weeks.