Windows users would remember that back in November two potentially harmful zero-day flaws were spotted in Windows 10 by Microsoft developers, who shrugged aside concerns as harmless for devices running Windows 10 Anniversary update. One zero-day flaw was employed by Fancy Bear Hackers, aka STRONTIUM, aimed at US firms with phishing campaigns, and the other one was directed at South Korean companies. Microsoft said that both zero-day flaws were kernel-level exploits effecting mainly privileges elevation, which the company patched in November 2016. Well, as it turned out all these lofty claims and assurances by Microsoft, a zero-day flaw remained on the system undetected, until now when an independent security researcher spotted the issue and released Windows Server zero-day exploit on GitHub with a fix. This zero-day bug is now out there in the open, prompting US-CERT Coordination Center (CERT/CC) to setup a security advisory at Carnegie Mellon University. Do note that Microsoft issued this statement back in November 2016 stating to be in control over the zero-day vulnerability:
We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.
On the contrary, a zero-day security bug remained on the system just like it was before being detected by Microsoft. Here’s what followed suit.
Microsoft Botched Attempt To Patch A Security Bug
Microsoft’s negligence in patching a potentially dangerous security bug has forced the US-CERT to issue a warning to server admins all across to stop all outbound SMB connections as the zero-day vulnerability is capable of corrupting memory when servers are in the middle of relaying SMB traffic. When activated, this security bug allows remote hacker to terminate or interrupt service delivery on affected system.
However, one security researcher Laurent Gaffie spotted that the zero-day bug remained active on the system and generously issues a fix on his own, which is available on GitHub. The US-CERT declared that the vulnerability is “a memory corrupting bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system.”
Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specifically-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure.
By Connecting a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.
The CERT/CC went on to say that it can’t figure out if there is any officially available solution to the problem, but also suggested that “Consider blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN.”
The security researcher has posted the solution last week, but in order to get the official patch, you will have to wait for February 14. Some are voicing displeasure over the issuance of a fix by Gaffie, who then responded in the following tweet:
If i’m not rewarded in any way for the free work I’m doing for this multi-billion company, why should I tolerate them sitting on my bugs?
— Responder (@PythonResponder) February 1, 2017
Microsoft has a record of taking matters of user data security and privacy lightly. Which doesn’t bode well for the reputation of Windows OS. Microsoft needs to get its act together in order to tighten the user data protection and security by implementing foolproof measures.