Windows Server SMB zero-day exploit released after Microsoft failed to issue patch for three months

clock • 2 min read

US CERT recommends blocking all outbound SMB connections until Microsoft (finally) issues patch

An exploit taking advantage of a Microsoft Windows Server zero-day security vulnerability has been released into the wild after the company failed to issue a patch, despite having been warned of the problem three months ago. 

The proof-of-concept exploit, dubbed Win10.py, was released on Github five days ago by security researcher Laurent Gaffie

According to US CERT, the vulnerability is "a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system". 

It continues: "Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. 

"By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2."

US CERT recommends blocking outbound SMB connections - TCP ports 139 and 445 along with UDP ports 137 and 138 - from the local network to the wide area network. 

Despite the publication of the proof-of-concept code last week, Microsoft still hasn't issued a patch, or revealed when a patch will be ready. 

In response to suggestions that it was irresponsible to publicise the security flaw and to publish the exploit, Gaffie suggested that the responsibility lies with Microsoft. "If I'm not rewarded in any way for the free work I'm doing for this multi-billion company, why should I tolerate them sitting on my bugs?" he asked over Twitter. 

Related Topics

You may also like
Microsoft injects $1.5 billion into UAE's G42

Artificial Intelligence

Microsoft injects $1.5 billion into UAE's G42

Reported 'behind-the-scenes deals' to ensure G42 removed some Chinese tech

clock 18 April 2024 • 2 min read
Microsoft Dynamics 365 prices set to rise

Business Software

Microsoft Dynamics 365 prices set to rise

Some prices will increase by as much as 17%

clock 15 April 2024 • 2 min read
IT Essentials: Baiting the hook

Careers and Skills

IT Essentials: Baiting the hook

Big Tech is chumming the talent pool. You need to change your bait

clock 15 April 2024 • 2 min read
Author spotlight

Graeme Burton

View profile
More from Graeme Burton

Peter Cochrane: Coronavirus as a change agent

Microsoft to migrate Office 365 Personal and Home users to Microsoft 365

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Security

Met police disrupt LabHost scam-as-a-service website
Security

Met police disrupt LabHost scam-as-a-service website

Dozens arrested globally and thousands sent warnings

Penny Horwood
Penny Horwood
clock 18 April 2024 • 3 min read
Last chance to register for Cybersecurity Festival 2024
Security

Last chance to register for Cybersecurity Festival 2024

Book your free place today

Computing Staff
clock 18 April 2024 • 2 min read
Interview: Illumio, Security Excellence Awards finalist
Security

Interview: Illumio, Security Excellence Awards finalist

'We are one team, delivering one platform, on one mission to ensure that organisations can realise a future without any high-profile breaches'

Computing Staff
clock 17 April 2024 • 5 min read