The CERT Team has revealed that an existing vulnerability in Microsoft’s Windows Operating Systems including Windows 10 that may allow a remote, unauthenticated attacker to gain access to the Windows system. They discovered a zero-day vulnerability in the Server Message Block (SMB) of the Windows Operating systems which lets attackers carry out Denial of Service Attacks and crash the entire operating system leading to Blue Screen of Death (BSOD).
CERT collaborates with government organizations, like the U.S. Department of Defense and the Department of Homeland Security (DHS); law enforcement, including the FBI; the intelligence community; and many industry organizations on cybersecurity matter.
Exploiting the vulnerability attackers can introduce all sorts of attacks such as downloading a malicious code on the victim’s PC. As per CERT, the vulnerability is applicable to Microsoft Windows 8.1 and Windows 10. Further, it may also affect the Windows Server systems, Windows Server 2016 and Windows Server 2012 R2.
The Cert Notice reads,
“Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys”
Microsoft not rushing to Patch zero-day vulnerability
Apparently, Microsoft rated this vulnerability as low risk and will not rush for the Patch release. Laurent Gaffie the researcher behind this zero-day exploit, tweeted that he’d found a zero-day vulnerability in SMBv3 and released a proof-of-concept exploit at GitHub.
Laurent claims to have privately disclosed the issue to Microsoft on September 25 last year. Microsoft responded saying that had a patch ready for its December patch release, but decided to wait until its scheduled February 14 “Patch Tuesday” update to release several SMB patches rather than a single fix in December.
Workaround
As per CERT there is no practical solution to arrest the vulnerability as of now. The organization advises blocking outbound SMB connections from the local network to the WAN.
