What's the scope of the vulnerability?
This is a buffer overflow vulnerability that results in a denial of service that could allow an attacker to disrupt a Windows 2000 user's session. It would automatically restart their machine.
The vulnerability would not allow the attacker to load or run malicious code on the user's system. It would only allow an attacker to disrupt the user's current computing session.
This vulnerability is unusual because it could only be exploited if the user was in close physical proximity to the attacker. It cannot be remotely exploited from the network. It also cannot be locally exploited from the console. Any attempt to maliciously exploit this vulnerability would require that the attacker be within a clear line of site of the victim's machine or be able to transmit the IrDA packets through reflection directly to the victim's I port and that the attacker have a machine with him to exploit the vulnerability.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the software which handles information from the IrDA device. By sending a specially formed IrDA packet, an attacker could cause an unhandled exception which in turn would cause the system to fail with an access violation.
What is IrDA?
IrDA refers to a group of short-range, high speed, bidirectional wireless infrared protocols established by the Infrared Data Association. IrDA allows a variety of devices to communicate with each other such as cameras, printers, portable computers, desktop computers, and personal digital assistants (PDAs).
Windows 2000 supports IrDA protocols that enable data transfer over infrared connections. This allows other devices and programs to communicate with Windows 2000 through the IrDA interface for activities such as file and print sharing.
How can I tell if I have an IrDA device on my system?
If you have an IrDA device on your system the Wireless Link icon will appear in the Control Panel. If you do not see a Wireless Link icon in the Control Panel, then you do not have an IrDA device on your system and you are not vulnerable to this issue.
What's wrong with IrDA in Windows 2000?
The software that handles IrDA devices in Windows 2000 contains an unchecked buffer when handling a certain type of IrDA packet. When a specially formed IrDA packet of this type is received, it causes an access violation, causing Windows 2000 to restart automatically.
How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by sending a specially crafted IrDA packet from their machine to the intended victim's machine. Because of the nature of IrDA , this would have to be performed within the range of the potential victim's IrDA port, usually within arm's length. The attacker's machine would also have to have either a clear line of sight to the potential victim's IrDA port, or be able to deliver the malicious packet through a carefully targeted reflection attack that successfully pinpointed the victim's IrDA port.
Is there any other way for an attacker to exploit this vulnerability?
No. The attack would have to come from another machine's IrDA port and target directly to the victim's IrDA port. It could not be exploited remotely across a network and could not be exploited locally on the victim's machine.
What could an attacker do if they maliciously exploited this vulnerability?
An attacker could cause the victims machine to experience an access violation and reboot automatically.
How long would the attack last?
The attack would last as long as it took for the victim's machine to reboot. However, the attacker could levy another attack at the victim's machine once the machine had successfully rebooted, if they remained within range and were able to launch another formed packet at the victim's IrDA port.
How would someone mount an attack?
Because this is related to the infrared support, an attack would have to be mounted from a machine that could transmit infrared packets to the potential victim's machine. In practical terms, this means that an attacker would most likely be in line-of-sight with a machine, making it very difficult to mount an attack without being noticed.
What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking in the IrDA device handler.
Do all Windows 2000 users need to apply the patch?
No, only those who have systems with IrDA capabilities need to apply the patch.
