Failed fixes haunt credibility of Microsoft's Trustworthy Computing Initiative

TruSecure Corp. senior scientist Russ Cooper, who is also the founder and editor of the NTBugtraq mailing list, has published a report that details how a nearly eight-year-old denial-of-service (DoS) vulnerability has resurfaced in Windows XP (including SP2) and Windows Server 2003 long after Microsoft originally fixed the problem. At the time this blog was published, Microsoft had not yet responded to the question of whether Service Pack 1 for Windows Server 2003, which was just announced today, contains a fix (stay tuned for an update -- editor's note: update now appears below).
The vulnerability according to Cooper, leaves Microsoft's desktop and server operating systems open to a DoS exploit known as a "Land attack" that he says can crash a system. In his report, Cooper takes Microsoft to task for allowing the vulnerability to creep back into its operating system codebases. Said Cooper:
The fact that the newest versions of Microsoft's OSes can be crashed by Land attacks makes you realize how far Bill Gates' vaunted Trustworthy Computing initiative still has to go.
According to Cooper's report, a Land attack is a form of DoS attack that "involves sending a packet to a machine with the source host/port the same as the destination host/port. This results in the system attempting to reply to itself, causing it to lock up." I pinged Microsoft to get its take on the report and, in saying that "a successful attack could cause the computer to perform sluggishly for a short period of time," the response from a company spokesperson (shown below) appears to dispute the potential impact of such an attack (sluggish performance vs. lock up). In acknowledging the vulnerability, Microsoft did not offer an explanation of how this or other vulnerabilities can creep back into Windows after originally being fixed nor did it address Cooper's report card on the company's Trustworthy Computing Initiative.
Cooper's report isn't the only evidence that something could be amiss in the way Microsoft's Trustworthy Compting initiative is tracking known vulnerabilities and making sure new code doesn't reintroduce them or leave them unaddressed. News.com reported today that Microsoft has officially acknowledged that a security patch issued in January for its Windows 98 and Windows ME operating systems may still be leaving customers' computers open to attack.
Here's the full text of the aforementioned spokesperson's response: