Feeds

Microsoft, Cisco issue patches for newfangled DoS exploit

Relief for industry-wide TCP attack

Beginner's guide to SSL certificates

Updated Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.

The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.

"This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own," Lee told The Register. "This really is good progress from both Microsoft and Cisco."

On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee. The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected.

The update from Microsoft came during the company's Patch Tuesday, in which it fixed a total of eight security vulnerabilities in various versions of its Windows operating system. In all, Microsoft issued five patches, which change the way Windows processes javascript, MP3 audio files and wireless signals. As always, the Sans Institute provides a helpful overview here.

Cisco issued it's own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive.

"By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases," the bulletin stated. "With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system."

Several other companies issued their own advisories concerning the vulnerability, according to this advisory from the Computer Emergency Response Team in Finland. Security firm Check Point Software said it was updating several security gateway products. Linux distributor Red Hat, meanwhile, stopped short of issuing a fix, but offered this workaround.

The industry wide advisories are designed to address a design flaw in a core internet protocol. Louis and Lee discovered it in 2005 and kept it secret last year. The researchers have provided few public details about how to exploit the bug to prevent it from being targeted in real-world attacks. Now that fixes are being released, he plans to write several blog posts in the coming weeks that for the first time will publicly reveal how attacks are carried out.

The vulnerability is unusual in that it causes a server or router to stop working with relatively modest amounts of malformed traffic. What's more, the disruption lasts even after the malicious assault has ended. In many cases, the only way to repair a disabled device is to restart it, a remedy that's not suitable in most data centers.

Not all industry players agree on the severity of the flaw. Researchers from router maker Juniper Networks said they "found no unexpected or adverse impact to our equipment which is different from other types of TCP Denial of Service." VMware and Clavister said none of their products are vulnerable, either.

Lee cautioned that many companies are wrong when they claim their products are unaffected by the new class of DoS vulnerabilities. In particular, he said Juniper's insistence that its products aren't vulnerable "means the guys at Juniper didn't get it." He went on to say: "I'm reasonably certain they're absolutely vulnerable."

Barry Greene, director of Juniper's security incident response team, took exception to that claim. He said his security team tested Juniper's entire product portfolio using Outpost24's own security tools and found no evidence any of it was vulnerable to the types of attacks described by Louis and Lee.

"The expectation is that when you're under attack, your system should recover when you remove the attack," Greene said. "Your system shouldn't crash when you're under attack. Our expectation is that we recover as we do from any other DoS attack of this type." ®

This article was updated to include comment from Juniper.

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.