[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)
- From: Henri Salo <henri@xxxxxxx>
- Date: Wed, 9 Nov 2011 18:51:56 +0200
On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
> People seem incredulous that the bug can be triggered by sending
> traffic to closed ports. Keep in mind that the only way your
> networking stack knows to reject packets that are directed towards
> closed ports is to do some preliminary parsing of those packets,
> namely allocating some control structures, receiving at least the
> physical/link layer frame, IP header, and transport layer header, and
> parsing out the port and destination address. There's plenty of
> things that can go wrong before the kernel decides "this is for a port
> that's not open" and drops it, which appears to be what happened here.
> Doesn't make the bug any less terrible, but it's not quite as
> surprising as people seem to think.
I am surprised about this, because Microsoft is definately lagging some level
of testing and change management in critical code. How many servers are people
using without networking these days. We do talk about remote execution
vulnerable in something, which obviously might get unnoticed when we think of
security audits, PCI and such. I wonder if integrated firewall in Windows could
block this as Microsoft should do everything in their power to stop attacks in
this security vulnerability.
Related picture: http://paste.nerv.fi/72975464-itbegins.jpeg
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/