
Critical: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution - tvon
http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
======
tptacek
I _reallllllllly_ want to know if the TCP/IP Timestamp Options vulnerability
--- the one where they keep a stale function pointer in memory that winds up
controlled by an attacker --- refers to the IP Timestamps Option or the TCP
Timestamp Option.

The IP Timestamp Option is more likely --- it's crazy complicated (among other
things, you can play tricks with IP timestamps to determine whether two IP
addresses are virtually hosted on the same machine). The good news about IP
Timestamps is your router probably doesn't pass packets that have that option
set.

~~~
huhtenberg
There is a good chance that they just put the pointer itself in a timestamp
field, presumably allowing the responder to tweak it to point at something
else.

~~~
tptacek
My read of the advisory was that it's a memory lifecycle issue --- having to
do, as the advisory said, with not cleaning up state properly. Which, come to
think about it, suggests that it's TCP timestamps --- IP timestamps are
stateless.

------
tsally
Whenever I see a bug this serious I always wonder if it's been floating around
in the wild all this time.

~~~
fnid
Of course. I doubt they _just_ introduced it, considering it affects operating
systems stretching back a decade.

~~~
huhtenberg
Well, actually no, not a decade. Remote execution vulnerability was clearly
introduced in Vista, most likely due to the much touted network stack rewrite.

------
cturner
Does the vulnerability stretch back into any of the BSDs it was forked from?
:)

~~~
spamizbad
Actually unlike the previous TCP/IP stack I believe the Vista/Win7/Serv2008
stack is new from the ground-up.

~~~
_ck_
They rewrote it so carefully that they duplicated the same teardrop bug they
created back in windows 3.1/95 and didn't fix for half a decade.

------
huhtenberg
Note how XP does not have this particular vulnerability.

~~~
mqatrombone
XP is affected by this but XP is not vulnerable in the default configuration
because there is no service listening set up with the firewall by default and
the firewall is on by default. I am curious to see if this causes problems for
Microsoft down the road.

------
cool-RR
I thought that was the title of all Windows hotfixes.

------
mmainguy
You know, I just don't get it, Microsoft is reputed to hire pretty smart
people, but somehow this slips through? This is on the border of
professionally negligent. I can see if my foomatic open source project allows
someone to run remote code (hell, even IIS or maybe apache for that matter),
but the TCPIP stack itself? sheesh....

~~~
swolchok
It's hard to find this sort of thing statically in C code, especially if your
static analysis tool is configured to treat C typecasts as necessarily correct
because there's no syntax in C for expressing how dangerous a cast you
intended, unlike C++. Of course, I don't know whether this code is C or C++.

------
NathanKP
I wonder if this particular vulnerability can be stopped by a firewall.

~~~
tptacek
If it's IP timestamps, then certainly yes --- your firewall should be blocking
this by default.

------
GrandMasterBirt
So what? MS found a security bug. Lets look on linux forms about all the
security exploits fixed here and there.

MS fixed a critical bug. Yay. Why complain? Its better than Apple ignoring
security bugs for years :)

~~~
thaumaturgy
Remote code execution vulnerabilities on widely-used systems is generally
noteworthy.

