Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2011

MA-272.022011 : MyCERT Alert - Critical Vulnerability in Microsoft Windows

Date of publication: 2011-02-17

1.0 Introduction

A critical vulnerability (CVE-2011-0654) has been identified in the Microsoft Windows SMB. The vulnerability, if successfully exploited will cause the application to crash and could potentially allow an attacker to take control of the affected system.

The vulnerability exists because of a heap overflow error in the "BowserWriteErrorLogEntry()" function within the Windows NT SMB Minirdr "mrxsmb.sys" driver when processing malformed Browser Election requests. [1]

MyCERT is aware that the PoC code and 0day exploit, which are currently available in the Internet, is causing DOS, but some researchers did mention that they are able to produce code execution exploit out of this vulnerability.

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute codes remotely with elevated privileges. Unsuccessful attacks may cause denial-of-service (DoS) outcomes.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

Microsoft Windows XP Service Pack 3
Microsoft Windows Server 2003 Service Pack 2

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following recommendation as a temporary workaround:

4.1 Restrict access to the server's broadcast domain and block UDP ports 137, 138 and TCP ports 139, 445 at the network perimeter using firewall rules. [2]

MyCERT would like to advise the users of Microsoft Windows to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated. The article on how to enable the auto update feature in Microsoft is available at the following URL:

http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

http://secunia.com/vulnerability_scanning/personal/

MyCERT can be reached through the following channels for further assistance:
E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

http://www.vupen.com/english/advisories/2011/0394
http://www.kb.cert.org/vuls/id/323172
http://lists.grok.org.uk/pipermail/full-disclosure/2011-February/079189.html