Categories: PCSecurityWorkspace

Microsoft Investigates Windows Zero-Day Vulnerability

Microsoft has begun an investigation after exploit code for a new zero-day vulnerability targeting Windows systems appeared on the Internet.

On Valentine’s Day, an anonymous researcher going by the name “Cupidon-3005” released proof-of-concept code for a Server Message Block (SMB) vulnerability affecting the CIFS (Common Internet File System) browser service.

More specifically, the vulnerability is inside an error-reporting function of the CIFS browser service module, explained Matt Oh, of the Microsoft Malware Protection Center Vulnerability Response Team.

Unlikely Exploit

“An attacker triggers the vulnerability by causing multiple string arrays to be concatenated,” he blogged. “The target buffer to which the concatenated string arrays are pushed has a pre-allocated fixed size. When the remaining target buffer length becomes 0, the string copy loop should exit, but it does not. The length is decremented by one more before the actual string copy instructions are executed, which is intended to reserve the string’s NULL termination. Suddenly, the length of the string to be copied becomes a huge number due to the integer underflow. The next string copy operation will attempt to copy an extremely large number of bytes from the source address to the target buffer, and then the overflow ensues.”

While Microsoft contends the issue is unlikely to be exploited remotely, VUPEN Security noted in an advisory that the situation “could be exploited by remote unauthenticated attackers or local unprivileged users to crash an affected system or potentially execute arbitrary code with elevated privileges.”

The researcher who first reported the bug, however, was in agreement with Microsoft that remote execution was not probable.

“Based on our initial investigation, this vulnerability cannot be leveraged for remote code execution [RCE] on 32-bit platforms,” said Jerry Bryant, group manager of response communications for Microsoft’s Trustworthy Computing Group. “We are still investigating the possibility of code execution on 64-bit platforms, but so far have not found a likely scenario that would result in reliable code execution.

DNS Possibility

“Nearly 4GB of consecutive address space would need to be mapped to achieve code execution on 32-bit systems, or 8GB on 64-bit systems,” Bryant added. “Therefore, we believe that this vulnerability is unlikely to result in code execution and more likely in the real world to be leveraged for denial of service only.”

Until the flaw is patched, users can block or filter UDP and TCP ports 138, 139 and 445 for protection, according to VUPEN.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

21 mins ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

2 hours ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 hours ago

VW, Rivian Launch Joint Venture, As Investment Rises To $5.8 Billion

Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…

4 hours ago

AMD Axes 4 Percent Of Staff, Amid AI Chip Focus

Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…

7 hours ago

Tesla Recalls 2,431 Cybertrucks Over Propulsion Issue

Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…

8 hours ago