Microsoft plays tag with 'raw sockets'

Microsoft is using a new patch to block sending data via "raw sockets", a technique the security community uses to analyse otherwise inaccessible data, prompting one expert to e-mail his peers: "Pick your poison: Install [the patch] and cripple your operating system, or ignore the hotfix and remain vulnerable to remote code execution and Denial of Service (DoS)."

Raw sockets are a little-known feature of operating systems which use the TCP/IP protocol on which the Internet runs. The feature is heavily relied upon by security professionals as it allows them to bypass certain controls to create more customised TCP/IP packets and analyse Internet data.

The software giant first tried to block the use of raw sockets with the release of Windows XP Service Pack 2 in August last year, claiming the feature could be used to launch denial of service (DoS) attacks. A subsequent workaround devised by the security community has been disabled by the new patch.

Only known as 'Fyodor', the author of the widely-used network scanning tool Nmap -- which uses raw sockets extensively -- said Microsoft's latest move was not aimed at stopping DoS attacks and packets being sent with a forged-source Internet address, as the heavyweight claimed.

Rather, it had to do with deficiencies in Windows' security architecture, he wrote in an e-mail to his 23,000-strong list.

"I know that some of you have been avoiding SP2 to keep your system fully functional," he said. "Now they [Microsoft] have quietly snuck the raw sockets restriction in with their latest critical security patch [MS05-019]."

"Microsoft claims the change is necessary for security," Fyodor said. "This is funny, since all of the other platforms Nmap supports (eg Mac OS X, Linux, the BSD variants) offer raw sockets and yet they haven't become the wasp nest of spambots, worms and spyware that infest so many Windows boxes."

A Microsoft spokesperson was unavailable for comment at the time of publication.