A security researcher disclosed a new unpatched bug in Windows that some experts believe could be used to remotely hijack a PC. Microsoft said it is investigating the flaw, but provided no information on any analysis it's conducted thus far.
The researcher, identified only as "Cupidon-3005," posted exploit code Monday for the vulnerability, which's reportedly in the "BowserWriteErrorLogEntry()" function within the "mrxsmb.sys" driver. The driver processes requests to the Server Message Block protocol that Windows uses for network communication.
SMB is mainly used to provide file- and printer-sharing to Windows machines.
Microsoft is investigating public claims of a possible vulnerability in Windows SMB [Server Message Block]," said Jerry Bryant, a group manager with the Microsoft Security Response Center (MSRC), in an e-mail Tuesday. "Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
According to French security company Vupen, which rated the bug as "critical," a successful exploit could "cause a denial of service or take complete control of a vulnerable system." The former would crash Windows and produce the notorious "Blue Screen of Death" that illustrates a serious collapse of the operating system.
Microsoft acknowledged the vulnerability saying,
"On Valentine's Day, an anonymous researcher announced a previously undisclosed SMB vulnerability affecting the CIFS (Common Internet File System) browser service. Along with the vulnerability, the researcher also posted Proof-of-Concept (PoC) exploit code showing exactly how to exploit the vulnerability, triggering a blue screen in kernel mode.
[…]Our conclusion is that the part of the string that the attacker can control will always end up inside the allocated buffer, and the part the attacker can't control is in the part that overflows the buffer. Also, it isn't possible to control the length of data to overwrite, so that it's always the same (and predictable) huge integer value. As a result, we don't (yet) see how RCE can happen."
[tags]smb,bsod,blude screen of death,server message block,poc,proof-of-concept[/tags]