Zero Day Found in Older Version of Windows

Friday, February 18, 2011 @ 03:02 PM gHale

There is a new Zero Day warning out for older version of Windows that could allow attackers to take complete control of machines running the operating systems.

The flaw in “BowserWriteErrorLogEntry()” function within the Windows mrxsmb.sys driver “could be exploited by remote attackers or malicious users to cause a denial of service or take complete control of a vulnerable system,” said researchers from French security firm Vupen. The warning came after posting the proof-of-concept code.

You can trigger the attacks by sending vulnerable machines malformed Browser Election requests that cause a heap overflow in the mrxsmb.sys driver. The term “Browser” in this context doesn’t refer to an application used for browsing websites, but rather, to networking technology used by older versions of Windows. The malformed Browser Election requests contain an “overly long Server Name string,” according to vulnerability tracking service Secunia.

Vupen, which rates the vulnerability as critical, has confirmed the bug in Windows Server 2003 SP2 and Windows XP SP3. Secunia rates it as moderately critical, the third most serious notch in its five-tier system.

A Microsoft spokesman said company researchers are investigating the reports and “will take appropriate action to help protect customers” when the inquiry is complete.

Mark Wodrich of the Microsoft Security Response Center blogged the vulnerability doesn’t allow attackers to remotely execute code on vulnerable 32-bit systems. Remote execution may be possible on vulnerable systems with 64 bits because they have 8GB of contiguous virtual address space mapped.