New SMB Bug Found in All Versions of Windows

Researchers have identified a new remotely exploitable vulnerability in all current versions of Windows that could be used by attackers to run arbitrary code on vulnerable machines. There is already a proof-of-concept exploit in circulation for the bug.

The new bug lies in the BROWSER protocol, which runs on top of the SMB (Server Message Block) protocol on Windows. Microsoft security officials said that the vulnerability is most likely to be found on servers and may be difficult to exploit for remote code execution.

"This vulnerability affects Windows machines that have been configured to (A) use the BROWSER network protocol and (B) that then become Master Browser on the local network. The BROWSER protocol uses an election process to determine which system will act as the “master” in terms of data collection and response handling," Mark Wodrich of the Microsoft Security Response Center said in a blog post on the vulnerability.

"RCE may also be possible if the corrupted memory is used by a thread running on another processor before the RtlCopyMemory triggers a bugcheck, and in a way that can be used to change code execution. (For instance, by corrupting a function pointer and having it be used by another thread). We feel that triggering any such timing condition reliably will be very difficult."

Microsoft said that enterprises can limit the exploitability of the SMB flaw by blocking the BROWSER protocol at the network edge.

Commenting on this Article is closed.