Microsoft is investigating reports of a Windows zero-day vulnerability.
Exploit code for a new zero-day vulnerability targeting Windows systems has
appeared on the Web.
On Valentine's Day, an anonymous researcher going by the name "Cupidon-3005"
for a Server Message Block (SMB) vulnerability affecting the CIFS
(Common Internet File System) browser service.
More specifically, the vulnerability is inside an error-reporting function
of the CIFS browser service module, explained Matt Oh of the Microsoft Malware
Protection Center Vulnerability Response Team.
"An attacker triggers the vulnerability by causing multiple string
arrays to be concatenated," he blogged. "The target buffer to which
the concatenated string arrays are pushed has a pre-allocated fixed
size. When the remaining target buffer length becomes 0, the string copy
loop should exit, but it does not. The length is decremented by one more before
the actual string copy instructions are executed, which is intended to reserve
the string's NULL termination. Suddenly, the length of the string to be copied
becomes a huge number due to the integer underflow. The next string copy
operation will attempt to copy an extremely large number of bytes from the
source address to the target buffer, and then the overflow ensues."
While Microsoft contends the issue is unlikely
to be exploited remotely
, VUPEN Security noted in an advisory that the
situation "could be exploited by remote unauthenticated attackers or local
unprivileged users to crash an affected system or potentially execute arbitrary
code with elevated privileges." The researcher who first reported the bug,
however, was in agreement with Microsoft that remote execution was not
"Based on our initial investigation, this vulnerability cannot be
leveraged for remote code execution [RCE] on 32-bit platforms," said Jerry
Bryant, group manager of response communications for Microsoft's Trustworthy
Computing Group. "We are still investigating the possibility of code
execution on 64-bit platforms, but so far have not found a likely scenario that
would result in reliable code execution.
"Nearly 4GB of consecutive address space would need to be mapped to
achieve code execution on 32-bit systems, or 8GB on 64-bit systems,"
Bryant added. "Therefore, we believe that this vulnerability is unlikely
to result in code execution and more likely in the real world to be leveraged
for denial of service only."
Until the flaw is patched, users can block or filter UDP and TCP
ports 138, 139 and 445 for protection, according to VUPEN