New SMB vulnerability identified in Windows XP and Server 2003


New SMB vulnerability identified in Windows XP and Server 2003

Ron Condon, UK Bureau Chief

Just days after a Patch Tuesday that saw both Microsoft and Adobe Systems

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

Inc. issuing urgent patches for multiple products, a new vulnerability in the Server Message Block (SMB) component of Microsoft Windows has been discovered. Researchers say the vulnerability could be exploited by remote attackers or malicious users to cause a denial-of-service (DoS) attack or take control of a vulnerable system.

The vulnerability, tagged as CVE-2011-0654, has been rated "critical" and confirmed on Windows Server 2003 SP2 and Microsoft Windows XP SP3.

The flaw was originally discovered by a researcher known as Cupidon-3005, who prefaced his  notification to with the sly comment: "Apologies if this puts a downer on the MSRC Valentine's Day sausage fest."

The vulnerability has been analysed by researchers at VUPEN Security S.A. in Montpellier France who say the problem is caused by a heap overflow error in the "BrowserWriteErrorLogEntry()" function within the Windows NT SMB Minirdr "mrxsmb.sys" driver when processing malformed Browser Election requests.

VUPEN Security, headquartered in France, said remote unauthenticated attackers or local unprivileged users could exploit the flaw by sending malformed Browser Election requests, which would cause the heap overflow within the mrxsmb.dll driver. This would allow them to crash an affected system or execute arbitrary code with elevated privileges.

With no current patch available, VUPEN recommends those affected should block or filter UDP and TCP ports 138, 139 and 445.