Launch Printer Friendly Page Security TechCenter > > Microsoft Security Advisory (899480)

Microsoft Security Advisory (899480)

Vulnerability in TCP Could Allow Connection Reset


Microsoft is aware of a new vulnerability report affecting TCP/IP, a network component of Microsoft Windows. We are not aware of any attacks attempting to use the reported vulnerability and have no reports of customer impact at this time.

Various TCP implementations could allow a remote attacker to set arbitrary timer values for a TCP connection. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be reestablished for communication to continue. This denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights. We do not consider this to be a significant threat to the security of the Internet. This is similar to other TCP connection reset issues.

Changes made during the development of Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and the MS05-019 security update eliminated this vulnerability. If you have installed any of these updates, these updates already help protect you from this vulnerability and no additional action is required.

Mitigating Factors:

  • Customers who have installed Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or the MS05-019 security update are not affected by this vulnerability.
  • For an attacker to try to exploit this vulnerability, they must first predict or learn the IP address and port information of the source and of the destination of an existing TCP network connection. Protocols or programs that maintain long sessions and that have predictable TCP/IP information are at an increased risk for this issue.
  • This attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.
  • This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.
  • This attack requires the TCP Timestamp Option registry setting to be enabled. This setting is enabled by default. However, this option can be disabled. Systems that have disabled this setting are not affected by this vulnerability. For more information about this setting, visit the following Web site.

Customers should note that the MS05-019 security bulletin is currently scheduled to be re-released in June of 2005. The original security update successfully addressed the vulnerabilities that are described in the security bulletin and the vulnerability that is documented in this advisory. However, the original security update contains a known network connectivity issue that affects a particular type of network configuration. Until the re-release of this security update is available, customers who experience the symptoms that are described in Microsoft Knowledge Base Article 898060 should follow the instructions that are contained in the article to address the network connectivity issue. If you are not experiencing this network connectivity issue, we recommend that you install the currently available security update to help protect against the vulnerabilities that are described in this security advisory and the original security bulletin.

General Information


Frequently Asked Questions

Suggested Actions

Other Information



The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • May 18, 2005: Advisory published