ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft confirms Windows BROWSER protocol zero-day

By | February 17, 2011, 11:33am PST

Summary: A security researcher has released proof-of-concept code for an unpatched security vulnerability affecting all versions of Windows, prompting a warning from Microsoft that remote code execution attacks are theoretically possible.

A security researcher has released proof-of-concept code for an unpatched security vulnerability affecting all versions of Windows, prompting a warning from Microsoft that remote code execution attacks are theoretically possible.

Details on the vulnerability were released on the Full Disclosure mailing list earlier this week and Microsoft followed up with two separate blog posts discussing the ramifications of the problem and suggesting workarounds until a patch can be created and released.follow Ryan Naraine on twitter

According to Microsoft’s Mark Wodrich, the vulnerability was identified in the BROWSER protocol  and although all versions of Windows are vulnerable, the issue is more likely to affect server systems running as the Primary Domain Controller (PDC).

“In environments following best practices, the BROWSER protocol should be blocked at the edge firewalls thus limiting attacks to the local network,” Wodrich said.

Wodrich provided technical confirmation of the buffer overrun vulnerability and explained that a malformed BROWSER message would cause the Master Browser to hit a portion of vulnerable code to trigger the vulnerability.

He warned that remote code execution (highest severity) may be possible in certain circumstances.

“While [remote code execution] is theoretically possible, we feel it is not likely in practice,” Wodrich said, noting that a more risk attack scenario would be denial-of-service attacks.

Microsoft has not yet issued a formal security advisory with mitigation guidance or workarounds.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

32-bit, 32-bit System, Network, Vulnerability, Memory, Microsoft Corp., Web Browser, 64-bit System, BROWSER Protocol, Web Browsers, 64-Bit, Microsoft Windows, Security, Internet, Processors, Semiconductors, Hardware, Components, Operating Systems, Software, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
67
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft confirms Windows BROWSER protocol zero-day
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
Loverock Davidson 17th Feb 2011
Such a non-issue because its only a proof-of-concept. No code is out in the wild therefore no one needs to panic. And since its restricted to just local networks its going to be incredibly hard to exploit this. Follow the recommended workarounds and this will not be a problem at all. No fear mongering and no scare tactics on this one.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
choyongpil 17th Feb 2011
Thanks again to Microsoft spokesperson, Loverock Davidson. Nothing to see here go about your normal business of patching.

Yes, I know all software has bugs.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
thookerov 17th Feb 2011
@Loverock Davidson
The fact that the POC exists means it IS an issue.

If the admins are doing their jobs, they see the article, check their firewall settings, make any changes they need to, and go about their day. That way, when POC moves to the wild and is actively attacking machines, they've put up their defenses.

i don't see any wringing hands or gnashing teeth in this article, just information.
0 Votes
+ -
LD is mocking...
wolf_z 18th Feb 2011
@thookerov

...Apple fanbois who always say that a POC is not an attack, that trojans are not viruses, etc.

I take it you're fairly new here? happy
0 Votes
+ -
trojans are no big deal, right?
search & destroy 18th Feb 2011
Naahhhh, of course not...

lol... grin
0 Votes
+ -
"Follow the recommended workarounds..." ???
UrNotPayingAttention 17th Feb 2011
@Loverock Davidson

What workarounds???

Taken from the article:
"Microsoft has not yet issued a formal security advisory with mitigation guidance or workarounds."
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
Loverock Davidson 17th Feb 2011
@chmod 777
Taken from the article:
Microsoft followed up with two separate blog posts discussing the ramifications of the problem and suggesting workarounds until a patch can be created and released.
  • Flagged
0 Votes
+ -
&LD - The result of assuming -or- Ignorance is bliss, is it not?
Isocrates Updated - 17th Feb 2011
Ryan Naraine writes, “‘ In environments following best practices, the BROWSER protocol should be blocked at the edge firewalls thus limiting attacks to the local network ,’ Wodrich said. ”

Loverock Davidson writes, “ Since its restricted to just local networks its going to be incredibly hard to exploit this.”

See the disconnect?
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
daikon 17th Feb 2011
Isocrates,
Its his full time job to paint a positive picture of Microsoft regardless of the issue. Loverock is always disconnected from the topic posted.
ZDNET is the only place he gets attention.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
cadstarsucks 18th Feb 2011
@Loverock Davidson

Such brain death is completely astounding, though not unexpected from a paid troll.

It ceased being a non-issue when it was published, the FACT that it is in ALL WinBLows versions leads me to suspect that the scumbags you work for knew about it all along but just did not care until it was made public like they have done with so many others!
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
Alan Smithie Updated - 18th Feb 2011
Isn't it nice of ZDnet to employ a resident clown to keep us blog readers amused.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
snoop0x7b 18th Feb 2011
@Loverock Davidson It is an issue... If someone exploits one of your workstations they now have an open door into your domain controller. That's huge. A domain controller is incredibly important in a windows based network, exploiting it is no laughing matter.
0 Votes
+ -
More ZD crap
dgurney 18th Feb 2011
Another dumb-ass headline using "zero-day".

WTF is that supposed to mean? I don't think ZD knows, since in all these years they've never defined it.

COMMUNICATION FAILURE.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
seamountie 20th Feb 2011
@dgurney - I don't see why ZDnet has to define common terms. Zero-day, or more specifically Zero-day attack, a.k.a. Zero-hour, zeroth attack - I'm sorry, a.k.a means also known as - and refers to an attack using a vulnerability that the developer/owner of the system is unaware of.

Of course this means that technically, as soon as MicroSoft knows about the vulnerability, it is no longer a Zero-day threat.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
search & destroy 18th Feb 2011
Such brain death is completely astounding, though not unexpected from a paid troll.

Well as you can see, M$ has lowered their standards quite a bit. Only the dumb and the borderline retarded need apply.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
lovedong 13th Sep
Wow, very awesome job. replica watches
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
aureolin 17th Feb 2011
Where are all the "there aren't any bugs in Mac/Linux" people? wink
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
daikon 17th Feb 2011
@aureolin
If it helps you, there are no Bugs in Linux/Apple. /sarcasm
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
facebook@... 17th Feb 2011
@aureolin There needs to be a Like Button on zdnet.

Like
0 Votes
+ -
What is a web browser doing on a PDC?
Richard Flude 17th Feb 2011
The MCSEs still don't get it.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
Loverock Davidson 17th Feb 2011
@Richard Flude
LOL talk about not getting it LOLOL!!!
  • Flagged
0 Votes
+ -
They're not the only ones, obviously
John Zern 17th Feb 2011
@Richard Flude. wink
0 Votes
+ -
What is a web browser doing on ZDNet?
Isocrates Updated - 17th Feb 2011
@Richard Flude

Did you locate this blog by link or were you just browsing?

Have you looked in your Computer Management Services, lately? Find a Computer Browser there? What? Nothing to do with the Web? Just browsing connected computers for network transmissions?

Lower level, done any packet browsing, lately? “Ah, but that is network communication,” you say. “Why would I be interested?” Well, this article is entitled, “Microsoft confirms Windows BROWSER protocol zero-day.” Perhaps, just perhaps, code can be written to browse packet transmission (Internet, Extranet, Intranet (Local Net), etc.) and violate current packet transmission protocol by injecting packets foreign to normal transmissions to accomplish any purpose desired by the packet attacker. Maybe a heap overflow to escape constraints and controls?
0 Votes
+ -
Sitting there, ready so you can download patches and updates.
Wolfie2K3 17th Feb 2011
@Richard Flude
Not 100% sure about NT 3.51, but every version of NT Server (NT 4, Win 2000 Server, 2003 Server, 2008 Server 2008 Server R2) since has come with a web browser. Up until Server 2008, it was kinda necessary - so you can download Windows Update patches for the OS.
0 Votes
+ -
A fair cop, I was wrong
Richard Flude 17th Feb 2011
Struggling to keep up with the MS vulnerabilities in my inbox
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
dazzlingd 17th Feb 2011
@Richard Flude
Perhaps if you were an MCSE you would get it...
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
snoop0x7b 18th Feb 2011
@Richard Flude Browser Service is a service that's designed to make browsing SMB networks easier... It's not a web browser.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
javalenti 18th Feb 2011
Richard, I was wondering that myself, at first. Then I looked at the Full Disclosure email and realized this is for the MS Net browsing service, not web browser. (PDCs and other MS servers use this to keep track of Microsoft networking resources, to generate your "network neighborhood" file & print shares).
I *think* a port 137 block stops these packets. We block all the MS-Net ports at our department edge, so are perhaps OK until someone brings an infected PC in.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
snoop0x7b 18th Feb 2011
@aureolin I dunno, but they're still dumb. Personally I'm a Linux person, but I don't claim there are no bugs.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
jdavid1953 17th Feb 2011
OMG will this generate another update?
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
tom@... Updated - 17th Feb 2011
Probably absent because of the sound thrashings they get from psychotic egos should they admit to those OS's. Many just don't feel like putting up with the needless and senseless bashing that goes on. Right of wrong, their contributions are refused and derided here. You would too in their position.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
dev/null Updated - 17th Feb 2011
Very Confusing article"

"Details on the vulnerability were released on the Full Disclosure mailing list"

The link in the article takes me here:
"MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow"

Second Link says: "All versions of Windows are vulnerable, although the issue is more likely to affect server systems running as the Primary Domain Controller (PDC)." and "Looking at the Exploitability Index (XI) rating scale, we would assign this an XI rating of 3 Functioning exploit code unlikely."

Nothing I see offers any specific way to block this other than "the BROWSER protocol should be blocked at the edge firewalls" - OK thanks a bunch for that tidbit. Should we be blocking UDP inbound port 138 ?
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
jgs25 17th Feb 2011
Couldn't agree more...I never even really understood what 'zero-day' means!
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
Dave S2 18th Feb 2011
@jgs25 - See http://en.wikipedia.org/wiki/Zero-day_attack for a decent explanation
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
Martmarty 18th Feb 2011
@dev/null
You didn't mention if you're administering a server.
But in my case, a single standalone machine, i just disabled my 'computer browser' service. As mentioned by one poster above.

start > run > type services.msc then disable the 'computer browser' service. (can be done thru admin acct only)
0 Votes
+ -
Attack surface does not equal delivery mechanism
jbl0 17th Feb 2011
Sure, you've got your firewall blocking the vuln ports on this one, but it most likely will be delivered to your network when a user hits an infected website or opens some attachment in their Hotmail. Let's hope the fix comes in before the POC gets dropped into some kinda metasploit tool and...
0 Votes
+ -
buffer overrun.... again.
redking44 17th Feb 2011
I see this so often. Is Windows designed to be compromised? I see two ways to tackle this problem.

One way is to detect and kill any attempt to go past the end of a buffer - perhaps interrupt on write to the location at the end of buffer, or a transfer mechanism that knows the length of the buffer and stops... Attempted buffer overrun would immediately terminate the transfer (best case) or crash the system .

The other weakness is mixing code and data in memory. Separate code and data spaces (both for user and kernel) would make it really hard for malformed data to corrupt code

And with Windows 7, Microsoft brings us yet more refined and elegant bells and whistles.
0 Votes
+ -
Intelligent. Very intelligent.
Isocrates 17th Feb 2011
@redking44 writes, “ Separate code and data spaces (both for user and kernel) would make it really hard for malformed data to corrupt code. ”

Perhaps such clear thinking is above the level of those highly educated experts at Microsoft? Or is it just a dinosaur corporation whose bloat makes it too sluggish to correct error-riddled outdated and vulnerable designs?
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
fairlane32 Updated - 17th Feb 2011
@Isocrates
I agree too. redking made a good point. Makes me remember one of Gibson and Laporte's SecurityNow podcasts, specifically his How Computers Work series, he talks about separating kernel code and user code spaces to keep malware from "jumping" across the stack or having two stacks - or something like that. Meh, I'm not a coder and I don't quite remember so don't beat me.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
SiO2 18th Feb 2011
@Isocrates

Its actually a very old idea that never caught on because MS broke the commercial market before these kind of issues were even imagined.

All PCs are Von Neumann designs, meaning they have contiguous data and program stacks, designed that way for an open and easy programming platform that was also easily scalable.

The rest of industry uses microprocessor and microcontroller hardware that has the Harvard-designed separate data and program areas. These predate PCs by a significant margin and are why you never hear of embedded architecture being hacked. Without a direct connection to the code (normally in EEPROM) its practically impossible to hack, mainly because the hacker HAS to be on-site.

These systems also outnumber PCs by hundreds or thousands to one, they are in everything from TVs to microwaves and have been performing silently, reliably and invisibly for decades.

Once PCs finally die, and we move to embedded electronic architecture in our homes and even bodies, this problem will go away on its own because embedded is also distributed, and its very hard to design a distributed Von Neumann system - which is of course why our Cloud is extremely unreliable. Its not integrated from the start, its cobbled together from bits just like the PC is.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
janitorman 17th Feb 2011
@Richard Flude As mentioned above, this is NOT a "web browser" but a PROTOCOL written for browsing drives on a network. The current configuration, released in 2007, has NEVER had any security associated with it. Check the following on MSDN: [MS-BRWS]: Common Internet File System (CIFS) Browser Protocol Specification
msdn.microsoft.com/en-us/library/cc224520%28v=PROT.10%29.aspx
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
cadstarsucks 18th Feb 2011
@Loverock Davidson

Listen FUDmeister, take a hike!

The ONLY reason Godfather Ball More did that is because after the FiaSCO he funded fell on it's face he is coming to the conclusion that it is better to piss off the intelligent if he can still lead the pathetic masses of sheep!
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
iconnice 18th Feb 2011
good article!

i think you need it. please have a look!
iphone web template bundle ? learn more here:
http://iconnice.com/bundle.html
0 Votes
+ -
Monumental MS fault announcements are like the morning paper.
Joe.Smetona 18th Feb 2011
Fortunately for MS, the general buying population does't see them or care about security.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
snoop0x7b 18th Feb 2011
@Joe.Smetona Probably doesn't matter to the average public unless they have a network with shared files... Which most people do not have.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
hornerea 18th Feb 2011
Where's the quote from the Metasploit tool folks that says that they can't find a way to exploit this bug. And that it CANNOT be used on 32-bit OS versions.

Jeez, if you are going to blog a vulnerability with a PANIC NOW headline, you should at least be responsible enough to get all the facts and publish them too.
0 Votes
+ -
Confused?
ThePublicEye 18th Feb 2011
Dear readers: FYI, this vulnerability has nothing to do with WEB browsers (e.g., IE, Firefox, etc.). Rather, it concerns ye olde Browser service which runs on Windows machines, enabling them to locate shared resources such as printers and file shares.

Hope this helps.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
wkyrouz 18th Feb 2011
Killing the browser service should moot this problem but it isn't mentioned as a workaround on the blog entries noted above. We need an official MS article on this.
I doubt that most environments block this within the network, making it look very enticing to the bad guys to develop a wormable threat.
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
fair play 20th Feb 2011
I wonder if security researcher would exploit security holes in Google Chrome. I am sure there are tons
0 Votes
+ -
Off Topic
Isocrates 20th Feb 2011
@fair play
0 Votes
+ -
RE: Microsoft confirms Windows BROWSER protocol zero-day
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix