It have been a very HOT discussion in the Internet. Microsoft vulnerability is nothing new in IT security world. But what makes the commotion is that Windows 2000 SP4 and Windows XP were listed as affected product, but Microsoft was not issuing any updates for them. I had saw some very interesting comments and I think i should share some of those including my own comments. Below are the extract from Microsoft Security bulletin MS09-048.
- Extract from bulletin FAQ -
If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it?
The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. Microsoft recommends that customers running Microsoft Windows 2000 Service Pack 4 use a firewall to block access to the affected ports and limit the attack surface from untrusted networks.
If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.
Does this update completely remove the vulnerabilities, TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 and TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926?
Since the denial of service vulnerabilities, CVE-2008-4609 and CVE-2009-1926, affect the TCP/IP protocol itself, the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack. Also, these denial of service vulnerabilities can be further mitigated through the use of NAT and reverse proxy servers, further lowering the severity of this issue on client workstations.
- End of Extract -
From the bulletin, they are saying that it is "technically infeasible" to build a fix for Windows 2000. It also mention that they did not patch XP because the client firewall (by default) mitigated the problem (if no ports is listening). It is not because XP is not vulnerable. As XP's TCP/IP stack uses the same underlying code as Windows 2000. It seems too hard for them to fix XP too.
Some Microsoft fans may rebutted that ALL should be upgraded to Windows 2003 or 2008. But the updates do not really fixed the issue, "the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack". So they still do not fixed the issue, right?
There was also a statement that i find it comical:
- "The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases".
For DoS, isn't the system always "become unresponsive" and most of the time
Customers should start looking into their support maintenance contract. Start thinking and asking on refund or cost incurred (on additional protection for vulnerable systems) from your software vendor when no patch was created according to the support contract. Also think of the possible cost and damages on your company in the event of a breach or exploit of these unpatched vulnerabilities occurs.
Nessus had released a plugin to detect this vulnerabilities.
1 comment:
A system may not necessarily recover after DOS attacks, e.g. if the system/service crashes, or the memory utilization do not go back to normal.
Post a Comment