On September 8th Microsoft released its usual set of patches. One particular issue CVE-2009-1926 affects all Microsoft Windows platforms except for Windows 7 and Windows 2008 R2.However Microsoft neglected to issue a patch for the Windows XP and Windows 2000 platform. Microsoft took this decision consciously claiming that the code that required fixing is very old and it would not be feasible to fix for this issue.

Furthermore Microsoft classified the impact on Windows XP and Windows 2000 as low.

What are the dangers?

The vulnerability in question affects the TCP/IP stack, the part of Windows that deals with network connections. Sending specially crafted packets to any listing service will result in a system losing all its resources on Windows XP and Windows 2000, effectively rendering them unusable whilst the attack continues.  What’s even worse is that on Windows Vista and above, including Windows 2008 but excluding Windows 7 and Windows 2008 R2, this attack can be used to execute code remotely without any need for credentials.

Microsoft claims that since by default Windows XP SP 2 and above have a stateful host firewall that doesn’t allow any listening services configured by default, Windows XP is thus effectively unaffected. However, whilst I am sure that this may be the case for some, it is by no means true for everyone. If your Windows XP runs any service that can be accessed remotely then that Windows XP is vulnerable to this denial of service attack.

I can see this as being especially true in companies that make use of telecommuting or any business that employs some form of remote management through the internet. Further to this I would imagine that while remote access might be protected, the case might not be the same for local intranet access, and whilst I agree that launching a local denial of service attack seems a bit farfetched I suppose there can be scenarios where this can happen, for example, in a competitive environment in order to gain an advantage over a colleague to reach a higher quota and gain that end of month bonus.

And finally whilst  this issue can currently only be used as a denial of service attack exclusively on Windows XP and Windows 2000, when the details about the exploit are made public (which now they obviously are), further research will be done by other parties that might find new ways to use this approach that might lead to further compromise. To make matters worse,  the incentive is certainly there right now for malicious people who might make a living developing and selling exploits as now they know that most likely this issue will remain unpatched  for (at the very least) a while after they start selling such an exploit. This is because Microsoft also claimed that it would take some major re-engineering of its Operating systems to fix the old code and as such it would take a long time to complete the required changes if this exploit turns into some remote executing vulnerability. That being said however, it’s important to note that this vulnerability is currently causing no crashes or any other unintended effect on the current infrastructure. Its use as a denial of services is simply because the specially crafted packets are causing the connection to reach a persistent state of waiting. Thus, as is right now, this is unlikely to develop into anything more; however, the risk is still there.

What can I do to protect myself?

Since there is no patch available for this issue the only option to protect your network is through the use of a firewall. It might also be a good practice to use a network scanner and catalog what services are running on each machine and close any unnecessary ones.

The firewall should block all outside access to be effective. In cases where there is either telecommuting in use or any other form of service that requires outside access, make sure that these are restricted to the required IP Addresses only. Please note that this will still make you vulnerable if the attack comes from these IP addresses. This can happen for various reasons, from the employee becoming disgruntled to a Trojan that infected the employee’s machine. To protect against this vector an intrusion detection system can be employed to detect if an attack is currently in progress.

Also it might be worth assessing the risk that this event has on your infrastructure. Whilst it is very unusual for Microsoft to not fix code in operating systems that have yet to reach their end of life, this occurrence shows that there is a risk that Microsoft might not patch issues when it may be inconvenient to do so and/or when they determine that the issue is low impact at that point in time.

It might also be a good idea to inform the support stuff of this issue so that if a machine on the network starts exhibiting erratic behavior due to unexplained resource / memory depletion they will know to investigate if this kind of attack is in progress.