Microsoft Security Bulletin (MS00-029): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-029 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows® 95, Windows 98, Windows NT® 4.0 and Windows 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. If a malicious user sent IP fragments with a particular type of malformation, even at a relatively moderate rate, it could prevent an affected machine from performing useful service.
There is no capability through this vulnerability to compromise data or usurp administrative control on an affected machine. The effect of the vulnerability would only last as long as the malformed data was sent; as soon as the attack ceased, the machine would return to normal operation.
What causes the vulnerability?
The vulnerability results because Windows 95, Windows 98, Windows NT 4.0 and Windows 2000 do not correctly perform IP fragment reassembly. If a stream of IP fragments containing a particular malformation were received, even at a relatively low rate, it could cause an affected machine to dedicate most or all of its CPU time to handling them.
What are IP fragments?
The IP protocol specification provides guidance for performing IP fragmentation - a process by which IP datagrams are subdivided into smaller data packets during transit. Fragmentation is needed because every network architecture carries data in chunks called frames, and the maximum frame size varies from network to network. When an IP datagram enters a network whose maximum frame size is smaller than the size of the datagram, it is split into fragments. Thereafter, the fragments travel separately to their destination, at which point they are reassembled and processed.
This vulnerability results because of a flaw in the way the affected systems perform IP fragment reassembly. If a stream of IP fragments with a particular type of malformation are directed against an affected machine, the work factor associated with performing IP fragment reassembly can be driven arbitrarily high by varying the data rate at which the fragments are sent. This could allow a malicious user to consume most or all of the machine's CPU availability.
What Network layer protocols are affected?
The vulnerability is independent of the Network layer protocol specified in the IP header.
What could a malicious user do via this attack?
A malicious user could prevent an affected machine from performing useful work, but couldn't compromise data on the machine or usurp administrative control. It's been reported that in some rare cases a machine could be caused to crash via such an attack, but Microsoft has not been able to confirm any cases in which this occurs.
How fast would a malicious user need to send the packets in order to affect a machine?
It would depend on many factors, including the processing power of the target machine and network bandwidth. However, in Microsoft's tests, only moderate data rates were needed under most conditions.
How long would the effect of such an attack last?
The effects of an attack via this vulnerability would last only until the malicious user stopped sending the malformed ICMP fragments. Once the fragments stopped arriving, the machine would quickly return to normal operation.
Would a firewall protect against this vulnerability?
Yes. However, filtering on a particular higher-level protocol might not be effective, because the malformed fragments can arrive via any higher-level protocol. However, many networks filter for fragmented datagrams, and such a firewall would protect the machines behind it.
Are firewalls typically configured to drop fragmented packets?
Many are, especially for security-critical networks. Many denial of service attacks have used fragmented packets in some form, and as a result, many system administrators choose to filter for them as a precaution.
Would a proxy server protect against this vulnerability?
Yes. Proxy servers generally reassemble fragmented packets before forwarding them to the interior of the network, and this would protect the machines behind it. However, it's important that the patch be applied to proxy servers, as they could otherwise be affected by this vulnerability.
Could this vulnerability be exploited accidentally?
It's extremely unlikely that this vulnerability would be exploited accidentally. It requires that IP fragments with fairly specific characteristics be continuously sent to a machine. Microsoft is not aware of legitimate activity that could cause this to happen.
What machines are primarily at risk from this vulnerability?
All Windows 95, Windows 98, Windows NT 4.0 and Windows 2000 machines are vulnerable, but the most likely machines to be affected would be machines on a network edge such as web servers or proxy servers. Machines behind a proxy server, or behind a firewall that filters fragmented datagrams, would not be affected by the vulnerability.
Will Windows 2000 Datacenter Server be affected by this vulnerability?
No. This vulnerability will be corrected before Windows 2000 Datacenter Server ships.
What does the patch do?
The patch causes Windows 95, Windows 98, Windows NT 4.0 and Windows 2000 to correctly perform IP fragment reassembly, even if the fragments contain the malformation at issue here.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin
How can I tell if I installed the patch correctly?
The KB article 259728 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article 259728 explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.