Did Microsoft Patch Miss the Mark?

An anonymous security researcher has posted a proof-of-concept exploit for a flaw patched in Microsofts “critical” MS06-035 bulletin, but the companys security response team says the issue is actually a brand-new, unpatched vulnerability.

The researcher, who uses the online moniker “cocoruder,” published the attack code on the Milw0rm Web site alongside a claim that it exploits a memory corruption in Mailslot to trigger a blue-screen Windows crash.

Microsoft shipped a Mailslot fix in the MS06-035 update released on July 11, but although the published code targets a similar flaw, Microsoft insists the exploit does not affect the same code path or functionality or vulnerability that was addressed by the update.

“We now have a good understanding of the issue and we are conducting a thorough investigation into this area of code to make sure we can deliver a security update that is complete and meets our quality bar,” said Adrian Stone, a program manager in Microsofts security response center.

In a blog entry posted on July 28, Stone said the proof-of-concept is limited to a denial of service that would cause the target host to crash. “At this time we have not identified any possibilities with this issue that could allow remote code execution,” he said.

“We have not observed or received any reports of the [exploit] being used to actively attack systems,” Stone added.

Because the vulnerability exists in the Server Message Block protocol that runs on TCP ports 139 and 445, Microsoft recommends that these ports should be blocked at perimeter firewalls, both inbound and outbound.

After reviewing the exploit code, researchers at the ISS X-Force vulnerability research unit described the bug as a “null pointer dereference” in the server driver (srv.sys).

/zimages/7/28571.gifClick here to read more about the exploit code.

“By sending a specially-crafted network packet to an affected system, a remote attacker could cause the system to crash,” the company said in an alert published July 28.

“Users must reboot to recover from the crash. An exploit is available in the wild. As of this writing no patch is available for the vulnerability,” the company warned.

Affected software includes fully patched versions of 2000 SP4, Windows Server 2003 and Windows XP SP2.

The alert said it is “unlikely” that the new flaw could result in remote code execution but warned that “complete system crashes are reliable.”

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.