Failed fixes haunt credibility of Microsoft's Trustworthy Computing Initiative

Summary:TruSecure Corp. senior scientist Russ Cooper, who is also the founder and editor of the NTBugtraq mailing list, has published a report that details how a nearly eight-year-old denial-of-service (DoS) vulnerability has resurfaced in Windows XP (including SP2) and Windows Server 2003 long after Microsoft originally fixed the problem.

Microsoft's Trustworthy Computing Questioned
TruSecure Corp. senior scientist Russ Cooper, who is also the founder and editor of the NTBugtraq mailing list, has published a report that details how a nearly eight-year-old denial-of-service (DoS) vulnerability has resurfaced in Windows XP (including SP2) and Windows Server 2003 long after Microsoft originally fixed the problem. At the time this blog was published, Microsoft had not yet responded to the question of whether Service Pack 1 for Windows Server 2003, which was just announced today, contains a fix (stay tuned for an update -- editor's note: update now appears below).

The vulnerability according to Cooper, leaves Microsoft's desktop and server operating systems open to a DoS exploit known as a "Land attack" that he says can crash a system. In his report, Cooper takes Microsoft to task for allowing the vulnerability to creep back into its operating system codebases. Said Cooper:

The fact that the newest versions of Microsoft's OSes can be crashed by Land attacks makes you realize how far Bill Gates' vaunted Trustworthy Computing initiative still has to go.

According to Cooper's report, a Land attack is a form of DoS attack that "involves sending a packet to a machine with the source host/port the same as the destination host/port. This results in the system attempting to reply to itself, causing it to lock up." I pinged Microsoft to get its take on the report and, in saying that "a successful attack could cause the computer to perform sluggishly for a short period of time," the response from a company spokesperson (shown below) appears to dispute the potential impact of such an attack (sluggish performance vs. lock up). In acknowledging the vulnerability, Microsoft did not offer an explanation of how this or other vulnerabilities can creep back into Windows after originally being fixed nor did it address Cooper's report card on the company's Trustworthy Computing Initiative.

Cooper's report isn't the only evidence that something could be amiss in the way Microsoft's Trustworthy Compting initiative is tracking known vulnerabilities and making sure new code doesn't reintroduce them or leave them unaddressed. News.com reported today that Microsoft has officially acknowledged that a security patch issued in January for its Windows 98 and Windows ME operating systems may still be leaving customers' computers open to attack.

Here's the full text of the aforementioned spokesperson's response:

Microsoft is aware and continues to investigate public reports of a vulnerability in Windows Server 2003 and Windows XP SP2. We have not been made aware of any attacks attempting to use the vulnerability nor are we aware of any customer impact at this time. Microsoft's initial investigation has revealed that this vulnerability cannot be used by an attacker to run malicious software on a computer but rather a successful attack could cause the computer to perform sluggishly for a short period of time. Customers running the Windows Firewall, enabled by default on Windows XP SP2, with no port exceptions, or customers running Windows Server 2003 who have applied our TCP/IP hardening practices described in knowledge Base Article 324270 are protected from an attack attempting to utilize this issue: http://support.microsoft.com/kb/324270.

Microsoft is currently working on a fix to address this vulnerability and will release that fix to customers once it's found to be as well-engineered and thoroughly tested as possible. We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps at www.microsoft.com/protect.

Customers who believe they may have been affected can contact Product Support Services. You can contact Product Support Services in North America a for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.

Update from a Microsoft spokesperson regarding whether or not Service Pack 1 for Windows Server 2003 contains a fix for the vulnerability:

Customers that download and install Windows Server 2003 Service Pack 1 are protected from this vulnerability.

Topics: Security

About

David Berlind was fomerly the executive editor of ZDNet. David holds a BBA in Computer Information Systems. Prior to becoming a tech journalist in 1991, David was an IT manager.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.