14 DAY TRIAL // Microsoft’s Windows operating system is once again impacted by a zero-day security flaw that allows attackers to crash systems with denial of service that would then open them to more possible attacks, including execution of arbitrary code.
An advisory published earlier today reveals that the vulnerability resides in the SMB service, and the US-CERT says that both Windows 8.1 and Windows 10 are exposed to attacks. There are reports claiming that Windows Server systems could also be affected, but there’s still no confirmation in this regard.
Windows 8.1 and Windows 10 both affected
The US security institute explains its security engineers have already managed to reproduce a successful denial of service attack on fully-patched Windows 10 and 8.1 computers, but running arbitrary code is an exploit that cannot be confirmed right now as working.
“Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys,” the advisory reads.
Exploit code that allows attackers to take advantage of this zero-day flaw has already been posted online, so users of the two aforementioned operating systems are exposed until a patch is provided.
While everyone’s waiting for Microsoft to step in and release an out-of-band patch to fix the security issues, the US-CERT says that there’s no solution to make sure users are on the safe side, but instead provides a temporary fix that involves blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
We have reached out to Microsoft for a statement and more information on how users can be protected against exploits and will update the article when we receive an answer.
In the meantime, turning to US CERT’s recommendations seems to be the only good option, especially given that exploit code is already available online and can be used by any attacker until a patch is provided.