Internet Security Systems - AlertCon(TM)

Vulnerabilities in MS TCP/IP - MS08-001

Posted by Chris Valasek on January 08, 2008 at 1:57 PM EST.

This month Microsoft released two security bulletins. The most important of these bulletins was the update for its TCP/IP driver. The TCP/IP driver has a few very serious vulnerabilities. One of the patches fixes a denial of service with the potential for remote code execution in ICMP, and the second set of patches fix remote code execution issues in IGMP/MLD due to TCP/IP storing state incorrectly. The issue in ICMP, while serious, can be mitigated due to the fact that the Router Discovery Protocol isn’t enabled by default. However, the issue should be taken seriously because a crash will result in an automatic system reboot. The remote code execution in IGMP/MLD is quite the contrary. Although IGMP/MLD may not be a crucial part of your infrastructure, you could potentially be owned by this attack because it is on by default. To make matters worse, due to the nature of IP multicast, an entire subnet could be compromised with a single attack. I believe these issues, though early in the year, could be the most serious we see in 2008.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.