Microsoft warns of new zero-day vulnerability in Windows

Microsoft has acknowledged a Windows vulnerability that could allow remote code execution, after an unnamed security researcher this week released information the vulnerability. The researcher also posted the proof-of-concept exploit code that triggers a blue-screen PC system freeze.

The vulnerability affects every version of Windows,and Microsoft said that system servers running as the primary domain controller could be at the highest risk, according to the researcher, identified only by the user name "Cupidon-3005."

In a TechNet blog, Matt Oh, member of the MMPC Vulnerability Response Team, provided some more details on the situation: "...the vulnerability is inside an error-reporting function of the CIFS browser service module. The function gets a variable number of arguments as parameters. Those string arguments are pushed on the stack for processing. In some cases, some of the strings can be controlled by the attacker."

Oh continued by saying that once a PC is controlled by a hacker it could be possible for malicious code to be freely distributed to the compromised system.

The Microsoft security team is optimistic that exploitations of the vulnerability for this purpose should be rare. The team added that "while [a remote code execution] is theoretically possible, we feel it is not likely in practice, wrote Mark Wodrich, MSRC engineer, in a blog post.

However, Wodrich does feel that there is some concern that hackers may use this newly documented opening to launch a denial-of-service attack.  

Microsoft has not yet released a security advisory on the vulnerability and has offered no workaround fix as it continues to investigate the security concern. With the release of February's patches just last week, an official patch may not surface until Microsoft's March security update, or Microsoft could release an interim "out-of-band" patch.

About the Author

Chris Paoli is the associate Web editor for 1105 Enterprise Computing Group's Web sites, including Redmondmag.com, RCPmag.com, ADTmag.com and VirtualizationReview.com.

Featured

  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected