Microsoft Confirms Windows Denial-of-Service Flaw

Microsoft today confirmed the existence of an unpatched Windows flaw that could allow a remote attacker to crash the system and produce a blue screen.

A specially crafted network packet sent to an affected system could trigger a crash because of a vulnerability in the Server Message Block protocol null pointer dereference in the server driver (srv.sys). Internet Security Systems (ISS) recommends blocking TCP ports 139 and 445 at the perimeter firewall, both inbound and outbound.

Affected products include:

  • Windows 2000 SP4
  • Windows Server 2003
  • Windows Server 2003 Itanium
  • Windows Server 2003 SP1
  • Windows Server 2003 SP1 Itanium
  • Windows Server 2003 x64 Edition
  • Windows XP Pro x64 Edition
  • Windows XP SP1
  • Windows XP SP2
Microsoft said today that it is researching the flaw. In a Microsoft Security Response Center blog, Adrian Stone commented, "While this appears to have been found after the release of MS06-035 [last month's Patch Tuesday update], this does not affect the same code path or functionality or vulnerability that was addressed by the update."

Stone also said that Microsoft has not identified any scenarios where the flaw would allow remote code execution, nor has it received any reports of the PoC being used to actively attack systems.

The flaw was originally misidentified as a proof of concept for the Windows Mailslot vulnerability (MS06-035). ISS says it's unlikely that this vulnerability could result in remote code execution.

The vulnerability was discovered and researched by Tom Cross, David Means and Scott Warfield of the ISS X-Force.