New Windows Attack Can Disable Firewall

BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."

Not that big a deal, but still.

[Grendel+Drago]

Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?

Not as bad as it sounds

[DavidD_CA]

So for this attack to work, according to the article...

1) The attacker has to be on the LAN already, or executing code from a PC on the LAN

2) The LAN has to be connected to the internet through a PC using ICS, and

3) There can be no external firewall device such as a router sitting between the LAN and the internet

While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.

Re:What can you trust?

[pedestrian+crossing]

You use an IPS/IDS appliance that goes up to level 7.

Mine goes up to 11.