Microsoft Fails to Patch a Zero-Day Vulnerability – Exploit Is Now Live on GitHub
A security researcher has released a Windows Server zero-day exploit on GitHub after Microsoft failed to release a fix, despite being warned three months ago. The zero-day security vulnerability is now available in the wild, triggering a security advisory from the US-CERT Coordination Center (CERT/CC) at Carnegie Mellon University.
Microsoft fails to patch the reported bug
The US-CERT has warned server admins to block outbound SMB connections as the vulnerability is a memory corruption bug in the handling of SMB traffic. The exploit allows a remote and unauthenticated attacker to cause a denial of service on a vulnerable system.
Dubbed as Win10.py, the exploit is now available on GitHub, released by security researcher Laurent Gaffie. According to the US-CERT, the vulnerability is "a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system".
Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.
By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.
The CERT/CC said that it is currently unaware of a practical solution to this problem, however, offered the following workaround.
Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.
The researcher published the proof-of-concept last week, however, a patch is not expected until February 14. When it was suggested that it was irresponsible of Gaffie to publish the exploit, he said the responsibility lies with Microsoft.
If i'm not rewarded in any way for the free work I'm doing for this multi-billion company, why should I tolerate them sitting on my bugs?
— Responder (@PythonResponder) February 1, 2017
This is not the first that the Redmond software maker is in the headlines for being careless about its users' security. In October last year, Google's Threat Analysis group had disclosed details of a critical Windows security vulnerability in a public post after Microsoft failed to send a patch.
"We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson had said at the time. "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
The last line of recommending Windows 10 has been used by Microsoft PR several times, which could be misleading since Windows 10 is also vulnerable to many of these exploits, including the latest Win10.py.