CVE-2014-0316

Name of the Vulnerable Software and Affected Versions Microsoft Windows versions prior to the fixed version Windows 7 SP1 Windows Server 2008 R2 SP1 Windows 8 Windows 8.1 Windows Server 2012 Gold and R2 Windows RT Gold and 8.1

Description A memory leak in the Local RPC (LRPC) server implementation allows remote attackers to cause a denial of service (memory consumption) and bypass the ASLR protection mechanism via a crafted client that sends messages with an invalid data view. The issue is related to the LRPC server not freeing messages from clients that have attached data, which is not expected for the message type. This enables a client to fill up the server's address space with such messages.

Recommendations For Windows 7 SP1, update to a version that includes the fix for this issue. For Windows Server 2008 R2 SP1, update to a version that includes the fix for this issue. For Windows 8, update to a version that includes the fix for this issue. For Windows 8.1, update to a version that includes the fix for this issue. For Windows Server 2012 Gold and R2, update to a version that includes the fix for this issue. For Windows RT Gold and 8.1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the LRPC server to minimize the risk of exploitation.