Failed fixes haunt credibility of Microsoft's Trustworthy Computing Initiative

Failed fixes haunt credibility of Microsoft's Trustworthy Computing Initiative

Summary: TruSecure Corp. senior scientist Russ Cooper, who is also the founder and editor of the NTBugtraq mailing list, has published a report that details how a nearly eight-year-old denial-of-service (DoS) vulnerability has resurfaced in Windows XP (including SP2) and Windows Server 2003 long after Microsoft originally fixed the problem.

SHARE:
TOPICS: Security
8
Microsoft's Trustworthy Computing QuestionedTruSecure Corp. senior scientist Russ Cooper, who is also the founder and editor of the NTBugtraq mailing list, has published a report that details how a nearly eight-year-old denial-of-service (DoS) vulnerability has resurfaced in Windows XP (including SP2) and Windows Server 2003 long after Microsoft originally fixed the problem. At the time this blog was published, Microsoft had not yet responded to the question of whether Service Pack 1 for Windows Server 2003, which was just announced today, contains a fix (stay tuned for an update -- editor's note: update now appears below).

The vulnerability according to Cooper, leaves Microsoft's desktop and server operating systems open to a DoS exploit known as a "Land attack" that he says can crash a system. In his report, Cooper takes Microsoft to task for allowing the vulnerability to creep back into its operating system codebases. Said Cooper:

The fact that the newest versions of Microsoft's OSes can be crashed by Land attacks makes you realize how far Bill Gates' vaunted Trustworthy Computing initiative still has to go.

According to Cooper's report, a Land attack is a form of DoS attack that "involves sending a packet to a machine with the source host/port the same as the destination host/port. This results in the system attempting to reply to itself, causing it to lock up." I pinged Microsoft to get its take on the report and, in saying that "a successful attack could cause the computer to perform sluggishly for a short period of time," the response from a company spokesperson (shown below) appears to dispute the potential impact of such an attack (sluggish performance vs. lock up). In acknowledging the vulnerability, Microsoft did not offer an explanation of how this or other vulnerabilities can creep back into Windows after originally being fixed nor did it address Cooper's report card on the company's Trustworthy Computing Initiative.

Cooper's report isn't the only evidence that something could be amiss in the way Microsoft's Trustworthy Compting initiative is tracking known vulnerabilities and making sure new code doesn't reintroduce them or leave them unaddressed. News.com reported today that Microsoft has officially acknowledged that a security patch issued in January for its Windows 98 and Windows ME operating systems may still be leaving customers' computers open to attack.

Here's the full text of the aforementioned spokesperson's response:

Microsoft is aware and continues to investigate public reports of a vulnerability in Windows Server 2003 and Windows XP SP2. We have not been made aware of any attacks attempting to use the vulnerability nor are we aware of any customer impact at this time. Microsoft's initial investigation has revealed that this vulnerability cannot be used by an attacker to run malicious software on a computer but rather a successful attack could cause the computer to perform sluggishly for a short period of time. Customers running the Windows Firewall, enabled by default on Windows XP SP2, with no port exceptions, or customers running Windows Server 2003 who have applied our TCP/IP hardening practices described in knowledge Base Article 324270 are protected from an attack attempting to utilize this issue: http://support.microsoft.com/kb/324270.

Microsoft is currently working on a fix to address this vulnerability and will release that fix to customers once it's found to be as well-engineered and thoroughly tested as possible. We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps at www.microsoft.com/protect.

Customers who believe they may have been affected can contact Product Support Services. You can contact Product Support Services in North America a for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.

Update from a Microsoft spokesperson regarding whether or not Service Pack 1 for Windows Server 2003 contains a fix for the vulnerability:

Customers that download and install Windows Server 2003 Service Pack 1 are protected from this vulnerability.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Move along

    Nothing new here.

    Those of us who've been around a while recognize that MS has an extremely long history of reintroducing bugs. The trouble that they had back in the DOS3/DOS4 days with large (for the day) disks was the same kind of thing, and it's surfaced countless times since.

    "Look forward, not back" is an ingrained part of corporate culture that a few memos from the Chief Software Architect won't change, especially since it's a part that he himself prizes so highly.
    Yagotta B. Kidding
  • To avoid the attack, you got to go Mac...

    There's nothing more to say.
    gtdworak
    • Or linux...

      Mac's good, but not entirely necessary. Could go linux on a normal PC.
      petteyg359
  • Re: Failed fixes haunt credibility of Microsoft's Trustworthy Computing Ini

    [b]According to Cooper's report, a Land attack is a form of DoS attack that "involves sending a packet to a machine with the source host/port the same as the destination host/port. This results in the system attempting to reply to itself, causing it to lock up."[/b]

    This is too silly. This is what happens when you put a public IP address on a Windows computer. Take my advice: don't do it.

    A properly configured firewall will drop packets that are purporting to be from your own IP address. Windows doesn't provide that kind of protection.

    From a Microsoft [url=http://www.microsoft.com/whdc/device/network/WFP.mspx]web page[/url]:

    [i]"WFP is a new architecture in Microsoft Windows codenamed ?Longhorn? that allows unprecedented access to the TCP/IP packet processing path, wherein outgoing and incoming packets can be examined or changed before allowing them to be processed further. By tapping into the TCP/IP processing path, ISVs can create firewalls, anti-virus software, diagnostic software, and other types of applications and services."[/i]

    Unprecedented for Windows users. Old hat for Linux users. But anyway, this is Longhorn. Put your current Windows computer behind a Linux or *BSD firewall.


    .
    none none
  • A properly configured firewall ...

    would protect you from this sort of attack, and numerous others as well.

    Running an unprotected MS Windows client straight to the Internet is just asking for trouble. Use a software firewall like Zone Alarm with Ad-aware and Spybot S&D on the client unit as an absolute minimum. Even better: don't connect the MS Windows system directly to the Internet. Pass the client's traffic through a Checkpoint firewall on a FreeBSD server, running on one of your old obsolete systems, which is attached to your broadband router.

    No-one in the IT community ever believed that "Trustworthy Computing" ever meant security anyway. Microsoft's long and troubled history should cause any reasonable person to adopt a wait-and-see attitude with regards to Microsoft's actual results.

    Regards,
    Jon
    JonathonDoe
    • and don't forget to keep your anti-virus up to date either. (NT)

      No Text.
      JonathonDoe
  • Trustworthy Computing : Open Source and Peer Review

    Sorry Bill, your version has a bad track record.
    kensys
    • Trustworthy Computing

      With respect to Microsoft, is trustworthy computing an oxymoron?
      BXLE