More reasons I dislike Microsoft
Mar. 7th, 2005 01:08 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gizaThere was a recent LJ entry in which there was discussion in the comments about Microsoft's bugs. I think I found a good example of how they handle their bugs which really irritates me and makes me not want to do business with them.
First, a little history. Back in 1997, someone discovered the the LAND attack. The way that worked was that you would send a spoofed TCP SYN packet to a Windows 95 machine, with the same source address and port as that of the destination, and would put the machine into an infinite loop. For example, if you had a machine at address 192.168.1.1 that was running a webserver on port 80, you would send a spoofed SYN packet that had a source address of 192.168.1.1 and a source port of 80. The Windows machine would then try sending a SYN ACK to... 192.168.1.1:80, and that packet would go into a loop.
Okay, so that was a nasty bug. But everyone makes mistakes. In fact, reading that article, one can see that there were many other vendors that were also affected.
7 long years go by, which is more than enough time to fix this bug. Yet 2 days ago, I saw this message on Bugtraq:
So, just to recap: There is a serious bug that can allow anyone on the planet with an Internet connection to cripple a machine with a single packet. 7 years have gone by, and this bug still exists in Microsoft products.
But hey, I hear the new version of Microsoft Word is out, and this one includes a version of Clippy that can speak Ebonics and Jive! I'm glad that Microsoft has its priorities in place.
First, a little history. Back in 1997, someone discovered the the LAND attack. The way that worked was that you would send a spoofed TCP SYN packet to a Windows 95 machine, with the same source address and port as that of the destination, and would put the machine into an infinite loop. For example, if you had a machine at address 192.168.1.1 that was running a webserver on port 80, you would send a spoofed SYN packet that had a source address of 192.168.1.1 and a source port of 80. The Windows machine would then try sending a SYN ACK to... 192.168.1.1:80, and that packet would go into a loop.
Okay, so that was a nasty bug. But everyone makes mistakes. In fact, reading that article, one can see that there were many other vendors that were also affected.
7 long years go by, which is more than enough time to fix this bug. Yet 2 days ago, I saw this message on Bugtraq:
Windows Server 2003 and XP SP2 (with Windows Firewall turned off) are vulnerable to LAND attack.
LAND attack:
Sending TCP packet with SYN flag set, source and destination IP address and source and destination port as of destination machine, results in 15-30 seconds DoS condition.
Tools used:
IP Sorcery for creating malicious packet, Ethereal for sniffing it and tcpreplay for replaying.
Results:
Sending single LAND packet to file server causes Windows explorer freezing on all workstations currently connected to the server. CPU on server goes 100%. Network monitor on the victim server sometimes can not even sniff malicious packet. Using tcpreplay to script this attack results in total collapse of the network.
Vulnerable operating systems:
Windows 2003
XP SP2
[snip]
So, just to recap: There is a serious bug that can allow anyone on the planet with an Internet connection to cripple a machine with a single packet. 7 years have gone by, and this bug still exists in Microsoft products.
But hey, I hear the new version of Microsoft Word is out, and this one includes a version of Clippy that can speak Ebonics and Jive! I'm glad that Microsoft has its priorities in place.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2005-03-07 07:07 pm (UTC)Muahaha!
Date: 2005-03-07 11:45 pm (UTC)Seriusly, this is why client firewalls are a good thing. Even on a LAN, a client firewall is a good thing because it blocks spurious traffic and closes off ports and services you don't need. (Under Windows, some services can't be easily turned off.)
More info...
Date: 2005-03-08 12:15 am (UTC)Win95 was vulnerable to LAND at the VIP.386 level. A malicious packet would cause a memory leak and fatal exception in the TCP/IP driver. FYI: Having the srcIP and destIP the same is kosher, a lot of services work that way. Having the srcPort and destPort the same is unusual, but also OK as long as the addresses are different. Some UDP stuff does that. Win2k and related has a sound TCP/IP stack, and it's not the job of a non-firewalled stack to filter anything.
The problem is non-fatal and in the Server service. It's not the OS, it's a service on the OS. I'm sure services on other platforms have potential issues with nasty packets as well.
Yes, this is a bug and a potential DoS. Microsoft should, can and will fix it.
Re: More info...
Date: 2005-03-08 04:56 am (UTC)(no subject)
Date: 2005-03-09 01:16 am (UTC)Nope, sorry; don't use it. :D