Researchers have identified a new remotely exploitable vulnerability in all current versions of Windows that could be used by attackers to run arbitrary code on vulnerable machines. There is already a proof-of-concept exploit in circulation for the bug.
The new bug lies in the BROWSER protocol, which runs on top of the SMB (Server Message Block) protocol on Windows. Microsoft security officials said that the vulnerability is most likely to be found on servers and may be difficult to exploit for remote code execution.
“This vulnerability affects Windows machines that have been configured to
(A) use the BROWSER network protocol and (B) that then become Master
Browser on the local network. The BROWSER protocol uses an election
process to determine which system will act as the “master” in terms of
data collection and response handling,” Mark Wodrich of the Microsoft Security Response Center said in a blog post on the vulnerability.
“RCE may also be possible if the corrupted memory is used by a thread
running on another processor before the RtlCopyMemory triggers a
bugcheck, and in a way that can be used to change code execution. (For
instance, by corrupting a function pointer and having it be used by
another thread). We feel that triggering any such timing condition
reliably will be very difficult.”
Microsoft said that enterprises can limit the exploitability of the SMB flaw by blocking the BROWSER protocol at the network edge.