windows 8 & 10 flaw Zero-Day Windows Security Flaw Could Crash Systems, Cause BSODs

[WALLONN7]

US-CERT confirms vulnerability in Windows SMB service

Microsoft’s Windows operating system is once again impacted by a zero-day security flaw that allows attackers to crash systems with denial of service that would then open them to more possible attacks, including execution of arbitrary code.

An advisory published earlier today reveals that the vulnerability resides in the SMB service, and the US CERT says that both Windows 8.1 and Windows 10 are exposed to attacks. There are reports claiming that Windows Server systems could also be affected, but there’s still no confirmation in this regard.

Windows 8.1 and Windows 10 both affected

The US security institute explains its security engineers have already managed to reproduce a successful denial of service attack on fully-patched Windows 10 and 8.1 computers, but running arbitrary code is an exploit that cannot be confirmed right now as working.

“Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys,” the advisory reads.

Exploit code that allows attackers to take advantage of this zero-day flaw has already been posted online, so users of the two aforementioned operating system are exposed until a patch is provided.

While everyone’s waiting for Microsoft to step in and release an out-of-band patch to fix the security issues, the US CERT says that there’s no solution to make sure users are on the safe side, but instead provides a temporary fix that involves blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

We have reached out to Microsoft for a statement and more information on how users can be protected against exploits and will update the article when we receive an answer.

In the meantime, turning to US CERT’s recommendations seem to be the only good option, especially given that exploit code is already available online and can be used by any attacker until a patch is provided.

Source

[Karlston]

Computers running fully patched Windows 10, 8.1, Server 2012, and 2016 are hit by Blue Screens when trying to connect to an infected server

Credit: Blair Hanley Frank

 

Security experts warn that it may be possible to exploit a vulnerability in a protocol widely used to connect Windows clients and servers to inject and execute malicious code on Windows computers.

 

Computers running fully patched Windows 10, 8.1, Server 2012, or 2016  that try to access an infected server will crash with a Blue Screen triggered in mrxsmb20.sys, according to a post by Günter Born on today's Born’s Tech and Windows World blog.

 

The vulnerability takes advantage of a buffer overflow bug in Microsoft’s SMBv3 routines. SMBv3 is the latest version of the protocol used to connect Windows clients and servers for sharing files and printers.

 

Proof of Concept code for the vulnerability was released on Github yesterday by @PythonResponder. There's been no response from Microsoft as yet.

 

There are currently no reports of this particular security hole leading to a takeover of affected computers, but US-CERT Vulnerability Note VU#867968 raises the possibility that new exploit code for the vulnerability may be able to inject and execute malicious code on Windows computers.

 

Johannes Ullrich posted a warning on the SANS Internet Storm Center, concluding “it isn’t clear if this is exploitable beyond a denial of service.”

 

US-CERT advises:

The CERT/CC is currently unaware of a practical solution to this problem... Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.

Even more troubling, US-CERT gives this vulnerability a “Base” score of 10, their highest rating.

 

Born advises that the effect is limited on small networks:

For me, it seems that this is for companies with WANs. For small LANs I would classify the risk as low, because an attacker needs access to the network shares. Also in networks with WLAN access is WPA2 protected, so I can’t see how the exploit can be used.

The discussion continues on the AskWoody Lounge.

 

Source: Vulnerability in Microsoft SMBv3 protocol crashes Windows PCs (InfoWorld - Woody Leonhard)

[SPECTRUM]

already posted here: https://www.nsaneforums.com/topic/285843-zero-day-windows-security-flaw-could-crash-systems-cause-bsods/

[Jordan]

Topics merged

[Israeli_Eagle]

And the best & stable OS is...............

 

[straycat19]

I am willing to bet Microsoft choked on that release.  Gee, hard to believe that Windows 10 has more vulnerabilities than Windows 7 but it is true and has been true since day one.  The fix for Windows 10 is to downgrade to Windows 7.

[info999]

why is it called zero-day ?

zero-day bugs are bugs found in the first day of a product roll-out

and windows 10 has been around for quite a while

[lordnsane]

7 hours ago, info999 said:

why is it called zero-day ?

zero-day bugs are bugs found in the first day of a product roll-out

and windows 10 has been around for quite a while

change your username to info1000 now as you are getting one more now.

zero-days are simply bugs that weren't known before being publicly disclosed. Meaning many malicious entities could be exploiting/selling that bug in underground markets, but the first instance it's disclosed to public when there's no patch by the vendor, it's called the zero-day.