DoS hole in Windows Server service

A blog entry from Microsoft's Security Response Team provides details on a newly discovered vulnerability in Windows. Successfully attacks can crash a computer over the network.

An exploit for the security hole is already widely available. The flaw is hidden in the driver for Server services (srv.sys) and is exploited by a specially crafted SMB packet. A successful attack can potentially cause a blue screen error. A brief test at the heise Security editorial offices brought a fully patched copy of Windows XP SP2 into an immediate restart. Ports 135, 139 or 445 must be accessible for the attack to be effective. These ports are opened on Windows XP systems with Service Pack 2 if the file and printer sharing option is activated in the built-in firewall. This exception is not activated by default.

At the moment, the only way to protect against these attacks is to block completely the affected ports or to permit access to them only from approved IP addresses. Microsoft is examining the problem but currently believes that the hole cannot be used to smuggle code onto a computer. Based on past experience, it is related to a null pointer dereference; this occurs when an attempt is made to access data referenced by a pointer, when that pointer has previously been set to NULL - it effectively point to an undefined area of memory. Windows 2000, Windows XP SP1 and SP2 as well as Windows Server 2003 are all affected.

An update will probably be made available on the next Patch Tuesday in August. On the last Patch Tuesday, Microsoft released a patch (MS06-035) for Server services that was intended to close two holes. One of those allowed for malicious code to be smuggled onto the PC and executed.

See also:

• Information About Public Postings Related to MS06-035, advisory from Microsoft's Security Response Team

(ehe)