News

Opinion: Old Attack Exposes Microsoft Shortcomings

Windows Server 2003 and Windows XP Service Pack 2 were both found to be vulnerable to a very old form of Denial of Service attack known as a "Land" attack. The attack involves sending a packet to a machine with the source host/port the same as the destination host/port. This results in the system attempting to reply to itself, causing it to lock up.

Land attacks first came to light in 1997, and the flaw was fixed in all Windows versions at the time. The vulnerability appears to have been re-introduced as a result of the security hardening done during XP SP2 development.

The fact that the newest versions of Microsoft's OSes can be crashed by Land attacks makes you realize how far Bill Gates' vaunted Trustworthy Computing initiative still has to go. Some key failures this vulnerability exposes:

1. This is an old and well-known form of attack. How could Microsoft miss this during security testing of the new versions? The likely answer is that they had routers which prevented the LAND attacks; thus, they probably tested for the vulnerability and missed the problem because the router blocked the attack, even though the OSes won't. This means the criteria they used for determining the success or failure of the test was completely off-base.

2. Code was originally written, then subsequently found to be vulnerable to an attack (in this case, the original LAND attack in 1997.) Such an occurrence should get logged in such a way as to ensure that the issue, or the coding that led to the vulnerability in the first place, was double-checked every time the modules containing the code were revised, updated or replaced. Yet here we are again, so obviously there were no sticky notes on the vulnerable modules saying "Hey, check and make sure we're not vulnerable to LAND attacks!"

3. We could simply attribute this to the age-old charge that Microsoft's code is so huge and so diversely managed that it doesn't know what it's doing with -- or to -- it.

4. It could also be that its code is just too difficult to do proper quality assurance (QA). It seems hardly fair to blame Computer Associates for legacy issues in its code (as I did a few weeks ago) and not call out Microsoft's QA people for re-introducing a previously patched vulnerability. Holy Windows, Batman!

More information on the Land attack can be found at www.cert.org/advisories/CA-1997-28.html.

Russ Cooper is a Senior Information Security Analyst with Cybertrust, Inc., www.cybertrust.com. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most- recognized security experts, he's often quoted by major media outlets on security issues.

Russ Cooper's Security Watch column appears every Monday in the Redmond magazine/ENT Security Watch e-mail newsletter. Click here to subscribe.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

Featured

  • Secured-Core PCs Promise To Stop Malware at the Firmware Level

    Microsoft and its hardware partners recently described new "Secured-core" PCs, which add protections against firmware-based attacks.

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Mark Hurd, Oracle Co-CEO, Dies at 62

    Oracle co-CEO and former Hewlett-Packard chief executive Mark Hurd died last Friday at the age of 62 from unspecified causes.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.