February 18, 2011

An anonymous reporter has publicly announced a previously undisclosed vulnerability affecting the BROWSER protocol on Windows systems. In addition, the reporter has released proof-of-concept exploit code. Use of the code can result in a denial-of-service condition on the target host, and the reporter has speculated that remote code execution is also possible.

Microsoft indicates that all versions of Windows are vulnerable. The vulnerability affects hosts that are or could become the Master Browser on the local network, such as the Primary Domain Controller. You may also be at risk if your hosts have Windows file shares exposed to the Internet.

Detailed information about this vulnerability is available at:
http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx
and
http://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspx

Microsoft is working on a fix, but at this time it is not yet available. For at-risk systems, the vulnerability can be mitigated by restricting access to UDP ports 137, 138 and TCP ports 139, 445 to only those hosts that require it. This needs to be done carefully, as the ability to use these ports is critical to many applications.

These access restrictions can be achieved by configuring your EC2 Security Groups accordingly. For information and examples on how to properly configure your Security Groups, please refer to the following documentation:
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?adding-security-group-rules.html