Microsoft patches Windows security hole

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1003-200-1923284.html?tag=st.ne.1002.tgif.ni

By Stephanie Miles
Staff Writer, CNET News.com
May 22, 2000, 1:15 p.m. PT

Microsoft today released a security patch that it hopes will prevent
hackers from targeting Windows computers with the type of attacks that
swamped sites such as Yahoo and eBay earlier this year.

The patch fixes a hole found in its currently marketed operating
systems: Microsoft's Windows 95, Windows 98, Windows NT 4.0 and
Windows 2000. The hole permits hackers to crash Windows-based
computers with a distributed denial-of-service (DDoS) attack.

In these types of attacks, a hacker plants code in computers or Web
site servers over the Internet that causes them to email thousands of
messages to a site at the same time. Sites for Slashdot.org, eBay,
Yahoo and others slowed to a crawl earlier this year from DDoS
attacks.

"A malicious user would send a continuous stream of IP (Internet
protocol) fragments with particular type of malformation," said Scott
Culp, a program manager in Microsoft's security group. "Your machine
would spend all its time trying to reassemble them. It doesn't crash,
just slows down quite a bit."

Patch creation and bug detection has become a major concern for
Microsoft this year, as hackers have become more destructive. Its
dominance in the software industry, combined with what some analysts
say are lax security features in Microsoft Outlook and other products,
have made the company's products particularly attractive targets.

The company has about 90 percent of the desktop operating system
market. The potential for mayhem associated with the software maker's
dominance was illustrated this month when the "I Love You" email virus
spread globally via Microsoft Outlook in less than two days, causing
damages estimated in the billions of dollars. It also brought
increased scrutiny and criticism of Microsoft's security procedures.

In the software maker's case, affected computers don't need to be
victims of a coordinated attack from many computers. But fragments of
data coming at even a relatively low rate could be enough to cripple a
system.

Computers running on any of the Windows operating systems are
vulnerable to DDoS attacks, Microsoft has said.

Networks break large chunks of information into more manageable sizes
of data and then reassemble the fragments when they reach their
destination. The vulnerability is the result of the way Windows-based
operating systems reassemble that information at its intended
destination, the PC.

A steady stream of malicious fragments could consume a huge amount of
the computer's resources, potentially causing a system crash,
Microsoft says, although the software maker has not been able to
recreate a scenario where a computer is brought down by such an
attack.

The patch fixes the way operating systems process and reform data
fragments.

Computers on corporate network firewalls will probably not be affected
by the vulnerability, although Microsoft recommends that all Windows
users download and install the patch. Web servers or proxy servers are
especially vulnerable to the glitch.

"Denial-of-service attacks are not new," said Frank Prince, a security
analyst with Forrester Research. "They cannot be avoided, only
minimized, because they take something that you have to do anyway and
give you more of it than you can handle; anything that a computer does
is potentially the basis of a denial-of-service attack."

Corporations can protect themselves by "avoiding single points of
failure," Prince said, and instead having multiple email and Web
servers.

Microsoft's reputation for lax security may be somewhat unfair, he
added, because the company is judged on single high-profile security
breeches rather than the whole scope of its security measures.

"I associate this with airline accidents," he said. "In spite of the
fact that the airline industry has a wonderful reputation for safety,
when you wipe out 300 people on the side of a mountain in one shot,
people are going to call for safety regulations.

"It's not like they all got together and decided to wipe out 300
people to save money."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".