News

New SMB vulnerability identified in Windows XP and Server 2003

Ron Condon, UK Bureau Chief

Just days after a Patch Tuesday that saw both Microsoft and Adobe Systems

    Requires Free Membership to View

Inc. issuing urgent patches for multiple products, a new vulnerability in the Server Message Block (SMB) component of Microsoft Windows has been discovered. Researchers say the vulnerability could be exploited by remote attackers or malicious users to cause a denial-of-service (DoS) attack or take control of a vulnerable system.

The vulnerability, tagged as CVE-2011-0654, has been rated "critical" and confirmed on Windows Server 2003 SP2 and Microsoft Windows XP SP3.

The flaw was originally discovered by a researcher known as Cupidon-3005, who prefaced his  notification to seclists.org with the sly comment: "Apologies if this puts a downer on the MSRC Valentine's Day sausage fest."

The vulnerability has been analysed by researchers at VUPEN Security S.A. in Montpellier France who say the problem is caused by a heap overflow error in the "BrowserWriteErrorLogEntry()" function within the Windows NT SMB Minirdr "mrxsmb.sys" driver when processing malformed Browser Election requests.

VUPEN Security, headquartered in France, said remote unauthenticated attackers or local unprivileged users could exploit the flaw by sending malformed Browser Election requests, which would cause the heap overflow within the mrxsmb.dll driver. This would allow them to crash an affected system or execute arbitrary code with elevated privileges.

With no current patch available, VUPEN recommends those affected should block or filter UDP and TCP ports 138, 139 and 445.