Microsoft says zero-day flaw not exploitable remotely

Share this article:

Microsoft this week confirmed the existence of an unpatched vulnerability affecting all versions of Windows, but said it is unlikely the flaw could be exploited remotely.

Details of the vulnerability – and proof of concept (PoC) code showing how to exploit it – were released Monday by an anonymous researcher identified only as “Cupidon-3005” on the Full Disclosure Mailing List, a forum for the disclosure of security issues. The Windows Server Message Block (SMB) vulnerability affects an error-reporting function of the Common Internet File Service browser service module, Matt Oh, a security researcher at Microsoft wrote in a blog post Wednesday. The SMB protocol provides network file-sharing capabilities to Windows machines.

All versions of Windows are vulnerable and there is currently no patch available.  

Researchers at Vupen, a French IT security research company, labeled the flaw “critical” – the highest threat level – and said it could be exploited by remote attackers or malicious users to cause a denial of service or to take complete control of an affected system. Microsoft, however, has downplayed the severity of the flaw.

“While RCE [remote code execution] is theoretically possible, we feel it is not likely in practice,” Mark Wodrich, a security software engineer in the Microsoft Security Response Center engineering team, wrote in a blog post Wednesday. “DoS [denial of service] is much more likely.”

Danish security firm Secunia, meanwhile, labeled the flaw “moderately critical,” or a three out of five in its severity rating scale, also noting that it may allow for the execution of arbitrary code.

The vulnerability can be exploited to cause a buffer overflow via an overly long Server Name string sent in a specially crafted Browser Election Request packet, according to Secunia.

The vulnerability was disclosed to Microsoft without prior notification, the software giant said.

“Luckily, the PoC was not fully weaponized (that is, it was not designed to achieve remote code execution and just a denial of service),” Oh wrote in the blog post.

While waiting for a fix from Microsoft, users can block or filter UDP and TCP ports 138, 139 and 445, Vupen suggested.
Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.