Re: Microsoft Windows vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

[Henri Salo <henri () nerv fi>]

On Wed, Nov 09, 2011 at 06:45:59AM -0500, Dan Rosenberg wrote:
> People seem incredulous that the bug can be triggered by sending
> traffic to closed ports.  Keep in mind that the only way your
> networking stack knows to reject packets that are directed towards
> closed ports is to do some preliminary parsing of those packets,
> namely allocating some control structures, receiving at least the
> physical/link layer frame, IP header, and transport layer header, and
> parsing out the port and destination address.  There's plenty of
> things that can go wrong before the kernel decides "this is for a port
> that's not open" and drops it, which appears to be what happened here.
>  Doesn't make the bug any less terrible, but it's not quite as
> surprising as people seem to think.

I am surprised about this, because Microsoft is definately lagging some level of testing and change management in 
critical code. How many servers are people using without networking these days. We do talk about remote execution 
vulnerable in something, which obviously might get unnoticed when we think of security audits, PCI and such. I wonder 
if integrated firewall in Windows could block this as Microsoft should do everything in their power to stop attacks in 
this security vulnerability.

Related picture: http://paste.nerv.fi/72975464-itbegins.jpeg

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/