Did Microsoft Patch Miss the Mark?By Ryan Naraine | Posted 2006-07-31 Email Print
Exploit code for a flaw patched in Microsoft's "critical" MS06-035 bulletin is released on the Internet, but the company's security response team says this is a brand-new, unpatched vulnerability.
An anonymous security researcher has posted a proof-of-concept exploit for a flaw patched in Microsoft's "critical" MS06-035 bulletin, but the company's security response team says the issue is actually a brand-new, unpatched vulnerability.
The researcher, who uses the online moniker "cocoruder," published the attack code on the Milw0rm Web site alongside a claim that it exploits a memory corruption in Mailslot to trigger a blue-screen Windows crash.
Microsoft shipped a Mailslot fix in the MS06-035 update released on July 11, but although the published code targets a similar flaw, Microsoft insists the exploit does not affect the same code path or functionality or vulnerability that was addressed by the update.
"We now have a good understanding of the issue and we are conducting a thorough investigation into this area of code to make sure we can deliver a security update that is complete and meets our quality bar," said Adrian Stone, a program manager in Microsoft's security response center.
In a blog entry posted on July 28, Stone said the proof-of-concept is limited to a denial of service that would cause the target host to crash. "At this time we have not identified any possibilities with this issue that could allow remote code execution," he said.
"We have not observed or received any reports of the [exploit] being used to actively attack systems," Stone added.
Because the vulnerability exists in the Server Message Block protocol that runs on TCP ports 139 and 445, Microsoft recommends that these ports should be blocked at perimeter firewalls, both inbound and outbound.
After reviewing the exploit code, researchers at the ISS X-Force vulnerability research unit described the bug as a "null pointer dereference" in the server driver (srv.sys).
"By sending a specially-crafted network packet to an affected system, a remote attacker could cause the system to crash," the company said in an alert published July 28.
"Users must reboot to recover from the crash. An exploit is available in the wild. As of this writing no patch is available for the vulnerability," the company warned.
Affected software includes fully patched versions of 2000 SP4, Windows Server 2003 and Windows XP SP2.
The alert said it is "unlikely" that the new flaw could result in remote code execution but warned that "complete system crashes are reliable."
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.