Microsoft Security Advisory 899480
Vulnerability in TCP Could Allow Connection Reset
Published: May 18, 2005
Microsoft is aware of a new vulnerability report affecting TCP/IP, a network component of Microsoft Windows. We are not aware of any attacks attempting to use the reported vulnerability and have no reports of customer impact at this time.
Various TCP implementations could allow a remote attacker to set arbitrary timer values for a TCP connection. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be reestablished for communication to continue. This denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights. We do not consider this to be a significant threat to the security of the Internet. This is similar to other TCP connection reset issues.
Changes made during the development of Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and the MS05-019 security update eliminated this vulnerability. If you have installed any of these updates, these updates already help protect you from this vulnerability and no additional action is required.
- Customers who have installed Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or the MS05-019 security update are not affected by this vulnerability.
- For an attacker to try to exploit this vulnerability, they must first predict or learn the IP address and port information of the source and of the destination of an existing TCP network connection. Protocols or programs that maintain long sessions and that have predictable TCP/IP information are at an increased risk for this issue.
- This attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.
- This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.
- This attack requires the TCP Timestamp Option registry setting to be enabled. This setting is enabled by default. However, this option can be disabled. Systems that have disabled this setting are not affected by this vulnerability. For more information about this setting, visit the following Web site.
Customers should note that the MS05-019 security bulletin is currently scheduled to be re-released in June of 2005. The original security update successfully addressed the vulnerabilities that are described in the security bulletin and the vulnerability that is documented in this advisory. However, the original security update contains a known network connectivity issue that affects a particular type of network configuration. Until the re-release of this security update is available, customers who experience the symptoms that are described in Microsoft Knowledge Base Article 898060 should follow the instructions that are contained in the article to address the network connectivity issue. If you are not experiencing this network connectivity issue, we recommend that you install the currently available security update to help protect against the vulnerabilities that are described in this security advisory and the original security bulletin.
Purpose of Advisory: Notification of the availability of a security update to help protect against this potential threat.
Advisory Status: Advisory published. As this issue is already addressed as part of the MS05-019 security bulletin, no additional update is required.
|Service Packs||Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1|
|Microsoft Windows 2000 Service Pack 3|
|Microsoft Windows 2000 Service Pack 4|
|Microsoft Windows XP Service Pack 1|
|Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)|
|Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)|
|Microsoft Windows Server 2003|
|Microsoft Windows Server 2003 for Itanium-based Systems|
What is the scope of the advisory?
Microsoft has been made aware of a new vulnerability report affecting TCP/IP, a network component of Microsoft Windows. This affects the software that is listed in the “Overview” section. It is similar in scope to other TCP connection reset issues.
Is this a security vulnerability that requires Microsoft to issue a new security update?
No. Customers who have installed Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or the MS05-019 security update are not affected by this vulnerability. No additional update is required.
What causes this threat?
Various TCP implementations could allow a remote attacker to set arbitrary timer values for a TCP connection. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be reestablished for communication to continue. This denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights. We do not consider this to be a significant threat to the security of the Internet.
What might an attacker use this function to do?
An attacker who exploited this vulnerability could cause the affected system to reset TCP connections.
Will this vulnerability be documented in the MS05-019 security bulletin?
No. This vulnerability does not reproduce on systems that are fully updated. No additional security update is required. Therefore, it would not be appropriate to update the previously released security bulletin.
Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Disable the TCP Timestamp Option
Customer who cannot install Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or the MS05-019 security update can disable the TCP Timestamp Option to help protect against this vulnerability. This attack requires the TCP Timestamp Option registry key to be enabled. For more information about this setting, visit the following Web site. The recommendation is to use the value of 0 to disable these options. Disabling of this setting may not allow the setting of large TCP window sizes in a high-bandwidth environment.
- You can provide feedback by completing the feedback form by visiting the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- May 18, 2005: Advisory published
Built at 2014-04-18T13:49:36Z-07:00