5 - KB899480

Microsoft is aware of a new vulnerability report affecting TCP/IP, a network component of Microsoft Windows. We are not aware of any attacks attempting to use the reported vulnerability and have no reports of customer impact at this time.

Various TCP implementations could allow a remote attacker to set arbitrary timer values for a TCP connection. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be reestablished for communication to continue. This denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights. We do not consider this to be a significant threat to the security of the Internet. This is similar to other TCP connection reset issues.

Changes made during the development of Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and the MS05-019 security update eliminated this vulnerability. If you have installed any of these updates, these updates already help protect you from this vulnerability and no additional action is required.

Mitigating Factors:

Customers who have installed Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or the MS05-019 security update are not affected by this vulnerability.

For an attacker to try to exploit this vulnerability, they must first predict or learn the IP address and port information of the source and of the destination of an existing TCP network connection. Protocols or programs that maintain long sessions and that have predictable TCP/IP information are at an increased risk for this issue.

This attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.

This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.

This attack requires the TCP Timestamp Option registry setting to be enabled. This setting is enabled by default. However, this option can be disabled. Systems that have disabled this setting are not affected by this vulnerability. For more information about this setting, visit the following Web site.

Customers should note that the MS05-019 security bulletin is currently scheduled to be re-released in June of 2005. The original security update successfully addressed the vulnerabilities that are described in the security bulletin and the vulnerability that is documented in this advisory. However, the original security update contains a known network connectivity issue that affects a particular type of network configuration. Until the re-release of this security update is available, customers who experience the symptoms that are described in Microsoft Knowledge Base Article 898060 should follow the instructions that are contained in the article to address the network connectivity issue. If you are not experiencing this network connectivity issue, we recommend that you install the currently available security update to help protect against the vulnerabilities that are described in this security advisory and the original security bulletin.

What is the scope of the advisory?
Microsoft has been made aware of a new vulnerability report affecting TCP/IP, a network component of Microsoft Windows. This affects the software that is listed in the “Overview” section. It is similar in scope to other TCP connection reset issues.

Is this a security vulnerability that requires Microsoft to issue a new security update?
No. Customers who have installed Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or the MS05-019 security update are not affected by this vulnerability. No additional update is required.

What causes this threat?
Various TCP implementations could allow a remote attacker to set arbitrary timer values for a TCP connection. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be reestablished for communication to continue. This denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights. We do not consider this to be a significant threat to the security of the Internet.

What might an attacker use this function to do?
An attacker who exploited this vulnerability could cause the affected system to reset TCP connections.

Will this vulnerability be documented in the MS05-019 security bulletin?
No. This vulnerability does not reproduce on systems that are fully updated. No additional security update is required. Therefore, it would not be appropriate to update the previously released security bulletin.