New TCP/IP Flaw Haunts Windows

Microsoft issues a prepatch advisory with mitigation guidance after exploit code is published on a popular security Web site.

Microsoft on Wednesday issued a prepatch advisory to counter the publication of exploit code for a newly discovered vulnerability in its implementation of TCP/IP.

The Redmond, Wash., companys confirmation of the flaw is the first public test of the software giants new security advisories pilot project, which is meant to provide instant feedback, guidance and mitigations when third-party researchers release vulnerability details and exploits before a patch is available.

In this case, Microsoft Corp.s Security Advisory 899480 comes 24 hours after an alert with accompanying exploit code was published by FrSIRT (French Security Incident Response Team), a private research outfit.

"Various TCP implementations could allow a remote attacker to set arbitrary timer values for a TCP connection. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be re-established for communication to continue," Microsoft said in its advisory.

Microsoft said the threat was not considered significant, adding that it was unaware of any actual attacks exploiting the flaw.

"This denial-of-service vulnerability would not allow an attacker to execute code or to elevate their user rights."

The Microsoft Security Response Center said the flaw affects users of Windows 2000 Service Pack 3, Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows XP 64-Bit Edition Service Pack 1 (Itanium), Windows XP 64-Bit Edition Version 2003 (Itanium), Windows Server 2003 and Windows Server 2003 for Itanium-based systems.

According to the advisory, changes made during the development of Windows XP SP2 (Service Pack 2) and Windows Server 2003 Service Pack 1 have eliminated the vulnerability.

Microsoft said the recently released MS05-019 bulletin provides protection from this attack vector, but that guidance appears to contradict the initial warning from FrSIRT that Microsofts patch fixed only one variant of the vulnerability.

But there are known problems with the MS05-019 bulletin, which contains patches that have caused major connectivity problems for network administrators. Microsoft plans to rerelease the bulletin to correct errors that range from the inability of Exchange servers to talk to their domain controllers; failure of domain controller replication across WAN (wide area network) links; and the inability to connect to terminal servers or to file sharing access.

In the meantime, Microsoft recommends that users disable the TCP Timestamp Option registry setting to block potential denial-of-service attacks.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.