Microsoft Confirms TCP/IP Flaw
Microsoft has confirmed a new vulnerability that affects its TCP/IP, a network component of Microsoft Windows.
Responding to reports of a flaw, Microsoft has released its first security advisory in which it has stated that the company is not aware of any attacks attempting to use the reported vulnerability.
According to the advisory, various TCP implementations could allow a remote attacker to set arbitrary timer values for a TCP connection. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections.
Those connections would have to be reestablished for communication to continue. This denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights. We do not consider this to be a significant threat to the security of the Internet. This is similar to other TCP connection reset issues.
Changes made during the development of Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and the MS05-019 security update eliminated this vulnerability. If users have installed any of these updates, these updates already help protect them from this vulnerability and no additional action is required.
According to the advisory, for an attacker to try to exploit this vulnerability, they must first predict or learn the IP address and port information of the source and of the destination of an existing TCP network connection. Protocols or programs that maintain long sessions and that have predictable TCP/IP information are at an increased risk for this issue.
This attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.
This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.
- New Security Flaw Grips Most Modern Laptops: F-Secure Researchers
- 8 Out Of 10 Shopping Apps Have Security Flaws: Report
- Mozilla Firefox Vulnerable To Man-In-The-Middle Attack: Report
- Linux Flaw Exposes 1.4 Bn Android Devices To Cyber Attack
- Android's Jelly Bean, Kit Kat Under Security Threat
- Experts urge PC users to disable Oracle's Java, cite security flaw
- Sony halts Xperia tablet sales after defect found
- Microsoft says has fixed Internet Explorer flaw
- Microsoft warns on Internet Explorer security flaw
- Latest Java software opens PCs to hackers