Third-Party Driver Flaws Found

Vulnerability affects TCP message transmissions.

Several third-party device drivers that ship with Windows Server 2003 contain a vulnerability that causes them to leak potentially sensitive data during TCP transmissions.

The flaw does not affect Microsoft Corp. drivers; it has been found only in drivers provided by outside vendors.

The vulnerability is similar to a class of flaws first described in a paper published by @Stake Inc., of Cambridge, Mass., in January. The problem occurs when messages transmitted between two machines are padded with arbitrary data to bring their byte size in line with the accepted standard. The @Stake paper described the problem as occurring in Ethernet frames in Internet Control Messaging Protocol messages. But researchers at Next Generation Security Software Ltd. recently discovered that the issue is also present in some TCP transmissions from device drivers.

The problem is that when Ethernet frames dont meet the minimum size requirement specified by the standard, the device drivers pad the frames with data pulled from previously used buffers without first cleaning that section of memory. This means that whatever information was in that buffer is then sent as part of the new transmission. The NGSS researchers observed the behavior most frequently during the closure of a TCP connection when the FIN and ACK packets were exchanged. Among the data the researchers observed were e-mail passwords.

There are several drivers affected by the TCP version of this vulnerability, including those for Advanced Micro Devices Inc.s PCNet network cards and Via Technologies Inc.s Rhine II compatible network cards, according to the bulletin published by NGSS, based in Surrey, England. Both of these drivers are digitally signed by Microsoft and are included on the Windows Server 2003 installation CD.

According to a Microsoft statement on the issue, "Microsoft does not ship any Microsoft written drivers that contain the vulnerability. However, we have found some third party drivers and samples in our documentation that, when compiled without alteration, could yield a driver that could contain this issue. We have made corrections to the samples in our documentation and are working with third parties, and have included tests for this issue in our driver certification program." Microsoft, of Redmond, Wash., has put much time and effort into improving the security model in Windows Server 2003 relative to its older operating systems, and company executives say it will be an early indicator of the effectiveness of the Trustworthy Computing project.