Security Protection – Harry Waldron MVP Rotating Header Image

Windows – New SMB mrxsmb.dll vulnerability

While exploitation may be difficult to achieve, active Firewall protection should help mitigate this new risk until a security patch emerges.

Windows 0-day SMB mrxsmb.dll vulnerability http://isc.sans.edu/diary.html?storyid=10423
http://www.vupen.com/english/advisories/2011/0394
http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx
http://seclists.org/fulldisclosure/2011/Feb/285

QUOTE: A new vulnerability has been discovered exploiting SMB component of Windows. The attack involves sending of malformed Browser Election requests leading the heap overflow within the mrxsmb.dll driver. The vulnerability is known to be able to cause DoS and fully control of vulnerable machines. Proof of concept code for DoS had been released. There are reports that this exploit only work on local network segment (this hasn’t been verified).

The general practice of block port 137, 138, 139 and 445 should be observed especially with this 0-day. MS SRD has posted a blog on this vulnerability stating that remote exploit leading to code execution is highly unlikely.

Leave a Reply