Network Security, Patch/Configuration Management, Vulnerability Management

Researchers reveal Windows buffer overflow flaw

Researchers last week revealed an unpatched buffer overflowbug in Windows that could allow an attacker to take control of an affected machine.

The GoodFellas Security Research Team on Friday disclosed aflaw in the FindFile function of two Windows libraries.

The FindFile class is used to manage searches across theWindows filesystem, according to an advisory released by researcher JonathanSarba and the GoodFellas Security Research Team.

There is no available workaround or patch for the flaw,according to an advisory from Shellcode, an Argentina-based solutions providerwhere Sarba is a manager and security specialist.

Sarba declined comment today, but the GoodFellas advisorysaid the group notified affected independent software vendors on June 20 andMicrosoft a day later.

GoodFellas asked Microsoft for an update on Aug. 31, whichMicrosoft said on Sept. 5 was “coming soon,”  according to Shellcode's advisory.

Christopher Budd, Microsoft security program manager, saidtoday that the company is investigating reports of the flaw and will respondafter the inquiry is complete.

The Redmond, Wash.-based corporationis unaware of any attacks targeting the reported vulnerability, Budd said.

Secunia, which released an advisory for the flaw on Monday,warned that the bug can be exploited to cause a heap-based buffer overflow bypassing an overly long argument to an affected application.

The flaw exists on a fully patched PC running Windows XPwith Service Pack 2, according to Secunia, which ranked the flaw as “moderatelycritical.”

The Denmark-based vulnerability monitoring organizationcited two HP products that have vectors allowing exploitation: All-In-OneSeries web release software driver/installer version 2.1.0 and HP Photo andImaging Gallery version 1.1.

Secunia recommended that users restrict access to affected applicationsand check the length of user input.

FrSIRT ranked the flaw as having “moderate risk” in anadvisory released today.

Don Leatham, director of solutions and strategies atLumention Security (formerly PatchLink), told SCMagazineUS.com today that thevulnerability is “another example of a standard buffer overflow.”

“It's a little bit concerning because it's part of thefoundation class library of Windows, which you would think a lot ofapplications would be using,” he said. “It looks like it can definitely be usedfor remote code execution, as well as a local attack.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.