Microsoft confirms Windows BROWSER protocol zero-day

A security researcher has released proof-of-concept code for an unpatched security vulnerability affecting all versions of Windows, prompting a warning from Microsoft that remote code execution attacks are theoretically possible.

A security researcher has released proof-of-concept code for an unpatched security vulnerability affecting all versions of Windows, prompting a warning from Microsoft that remote code execution attacks are theoretically possible.

Details on the vulnerability were released on the Full Disclosure mailing list earlier this week and Microsoft followed up with two separate blog posts discussing the ramifications of the problem and suggesting workarounds until a patch can be created and released.

follow Ryan Naraine on twitter

According to Microsoft's Mark Wodrich, the vulnerability was identified in the BROWSER protocol  and although all versions of Windows are vulnerable, the issue is more likely to affect server systems running as the Primary Domain Controller (PDC).

"In environments following best practices, the BROWSER protocol should be blocked at the edge firewalls thus limiting attacks to the local network," Wodrich said.

Wodrich provided technical confirmation of the buffer overrun vulnerability and explained that a malformed BROWSER message would cause the Master Browser to hit a portion of vulnerable code to trigger the vulnerability.

He warned that remote code execution (highest severity) may be possible in certain circumstances.

"While [remote code execution] is theoretically possible, we feel it is not likely in practice," Wodrich said, noting that a more risk attack scenario would be denial-of-service attacks.

Microsoft has not yet issued a formal security advisory with mitigation guidance or workarounds.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All