Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft, Cisco Finally Patch TCP DoS Flaw

Posted by kdawson on from the who-needs-a-botnet dept.

Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."

8 of 114 comments (clear)

  1. very, very old vulnerability by neko+the+frog · · Score: 4, Funny

    I mean, Robert E. Lee has been dead for *decades*.

    --
    -- the opinions stated above aren't those of my employer. in fact, they're probably not even my own. you know what, ju
  2. Hey things take time. by palegray.net · · Score: 4, Funny

    Just think of all the meetings that had to be convened, coffee brewed, dinners expensed discussing the potential impact of these flaws, input from the legal department on the cost of fixing the bug versus potential liability including agreement to the shrinkwrap license that absolves MS of any liability unless a judge someday says otherwise, reading the tea leaves, God the list goes on and on.

    I'm proud of them for releasing this fix in such a timely fashion.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    1. Re:Hey things take time. by thePowerOfGrayskull · · Score: 5, Insightful

      Alternatively, just think of what would have happened if either of those giants had released a patch for something as fundamental as the TCP stack that introduced a new bug or worse hole; then automatically pushed it to millions of users. A year might be excessive, but considering the size of their userbases... I can understand it.

    2. Re:Hey things take time. by Anonymous Coward · · Score: 5, Insightful

      WTF. Get real. TCP is studied and implemented as a lab assignment now ...

      Your point that TCP programming is practiced in abundance is well taken, but my experience has taught me that anything related to network programming in general, and TCP/IP implementations in particular (particularly where interoperability between your product and TCP stacks you've never seen before is concerned) is astoundingly difficult, and that anyone who believes that they've got all the bases covered, that they've foreseen everything that could go wrong, and that they're in the clear because their tests indicates that all their stuff is RFC-compliant will be the first to get their asses kicked hard after they release their product.

  3. Re:Better Late than never? by Anonymous Coward · · Score: 4, Informative

    From the MS bulletin:

    Non-Affected Software
    Operating System
    Windows XP Service Pack 2 and Windows XP Service Pack 3*
    Windows XP Professional x64 Edition Service Pack 2*

  4. Re:what's the point of IOS? by longfalcon · · Score: 4, Insightful

    are you kidding?

    Linksys was acquired by cisco.
    there is about as much difference between Linksys and cisco routers as there is between a weekend yacht and a freighter.

    IOS was designed to be an enterprise embedded solution, not for some Joe Bloggs out there who needs to hook up two computers to his cable connection.

  5. Re:what's the point of IOS? by gad_zuki! · · Score: 5, Informative

    First off, a lot of these embedded OSs are real time OSs. Linux vanilla isnt.

    So lets say your company standardized on dd-wrt, which is popular and a solid product, but look at the recent security issue:

    http://routerip/cgi-bin/;command_to_execute

    Thats right, the command goes right there and it runs as root. Thats a nightmare level security issue that CS101 students should be ashamed of, let alone from true hackers.

    So imagine if linksys standardized on dd-wrt. Just clicking on http://192.168.1.1/cgi-bin/;rm-r would destroy your router. That link could be be put everywhere on the web and would result in mass chaos.

    I think a lot of companies know the quality from even the most popular OSS projects can be highly uneven and hackers are just that: hackers. They hack things together. Good design and security testing is usually an afterthought.

  6. It was a joint release date by Anonymous Coward · · Score: 4, Informative

    Today was a joint release date. That is to say: Everyone agreed that nobody would release their fix(es) until everyone was ready.
    This was done to ensure that an attacker did not reverse engineer one company's fix, and use the flaw to wreck havoc on another company's products.
     

    And "Everyone" in this case includes more vendors than just Microsoft & Cisco. The firm I work for released our fix(es) for this issue today.
     

    Instead of someone disclosing a security problem one month before the vendor's next scheduled patch date, wouldn't you prefer that a major remote flaw affecting hundreds of companys' products be hidden until most of them were ready to be patched?