Microsoft patches 1990s-era 'Ping of Death'

Also plugs critical holes in IE9, Windows' DNS service in 22-fix collection

1 2 Page 2
Page 2 of 2

Kandek seconded that as he pushed for MS11-058 to make second on the patch-ASAP list. "Microsoft's DNS service is pretty widely deployed, many IT shops have it in place," he noted.

Kandek and his colleague, Amol Sarwate, the manager of Qualys' vulnerability research lab, expect attackers to closely examine the DNS patch in the hope of crafting a working exploit. "It's going to be interesting to malware authors, who, if they successfully exploited it, could modify search results users see," said Sarwate.

"I think this will be a good challenge for researchers because [DNS servers are] a good target," added Kandek.

Microsoft pegged that vulnerability as a "3" on its exploitability index, indicating it doesn't believe a reliable exploit will appear in the next 30 days.

Kandek wasn't so sure, and said he wouldn't be surprised if hackers figured out how to hit vulnerable DNS servers.

Unlike other researchers, nCircle's Storms had a different pick for second place: MS11-064, an update that patched two bugs in the Windows TCP/IP stack.

The vulnerability marked "CVE-2011-1871" brought back memories for Storms.

"This looks like the "Ping of Death" from the early-to-mid 1990s," said Storms. "Then, when a specially-crafted ping request was sent to a host, it caused the Windows PC to blue screen, and then reboot."

Two decades ago, the Ping of Death was used to bring down Windows PCs remotely, often as a way to show the instability of the operating system. "People would say, 'You're stupid to put your machines on the Internet," said Storms.

"My suspicion is that if this catches fire and someone writes a small attack tool and releases it, you could see [Windows PCs] blue screened at your local coffee shop," Storms said, talking about the possibility of crashing machines on a free Wi-Fi network.

Storms said it appeared that today's "Ping of Death" bug was a different vulnerability than Microsoft patched in its now-ancient OSes of the 1990s.

The bug exists in Windows Vista, Server 2008, Windows 7 and Server 2008 R2, Microsoft said, but not in Windows XP or Server 2003.

Others were less concerned with the new Ping of Death problem. "It's definitely an old-school kind of attack," said Sarwate of Qualys. "But if it is exploited, I think it would be more on the prank side."

"There are easier ways to bring down a [Web] server than this," said Kandek, when asked whether the vulnerability might be exploited by hacking groups such as Anonymous that have knocked major sites offline this year using traditional denial-of-service attacks.

Microsoft also patched other vulnerabilities in Windows, including several two in remote access components of the OS and one in the kernel, as well as bugs in Visio, Visual Studio and the .Net Framework.

August's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon