Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, Cisco Finally Patch TCP DoS Flaw

Posted by kdawson on from the who-needs-a-botnet dept.

Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."

3 of 114 comments (clear)

  1. Re:Better Late than never? by Anonymous Coward · · Score: 4, Informative

    From the MS bulletin:

    Non-Affected Software
    Operating System
    Windows XP Service Pack 2 and Windows XP Service Pack 3*
    Windows XP Professional x64 Edition Service Pack 2*

  2. Re:what's the point of IOS? by gad_zuki! · · Score: 5, Informative

    First off, a lot of these embedded OSs are real time OSs. Linux vanilla isnt.

    So lets say your company standardized on dd-wrt, which is popular and a solid product, but look at the recent security issue:

    http://routerip/cgi-bin/;command_to_execute

    Thats right, the command goes right there and it runs as root. Thats a nightmare level security issue that CS101 students should be ashamed of, let alone from true hackers.

    So imagine if linksys standardized on dd-wrt. Just clicking on http://192.168.1.1/cgi-bin/;rm-r would destroy your router. That link could be be put everywhere on the web and would result in mass chaos.

    I think a lot of companies know the quality from even the most popular OSS projects can be highly uneven and hackers are just that: hackers. They hack things together. Good design and security testing is usually an afterthought.

  3. It was a joint release date by Anonymous Coward · · Score: 4, Informative

    Today was a joint release date. That is to say: Everyone agreed that nobody would release their fix(es) until everyone was ready.
    This was done to ensure that an attacker did not reverse engineer one company's fix, and use the flaw to wreck havoc on another company's products.
     

    And "Everyone" in this case includes more vendors than just Microsoft & Cisco. The firm I work for released our fix(es) for this issue today.
     

    Instead of someone disclosing a security problem one month before the vendor's next scheduled patch date, wouldn't you prefer that a major remote flaw affecting hundreds of companys' products be hidden until most of them were ready to be patched?