MS05-019 breaks TCP raw socket sends
From: Robin Keir (robin_at_KEIR.NET)
Date: 04/13/05
- Previous message: Russ: "Re: Alert: Microsoft Security Bulletin MS05-022 - Vulnerability in MSN Messenger Could Lead to Remote Code Execution (896597)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Apr 2005 20:37:02 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Today's bugfix MS05-019 ("Vulnerabilities in TCP/IP Could Allow Remote
Code Execution and Denial of Service" - KB893066) appears to break TCP
raw socket sends on XP (tested with SP1 and SP2). Windows Server 2003
appears unaffected.
It is a documented fact that TCP raw socket sends were disabled with XP
SP2. This was easily circumvented by disabling the Windows Firewall
service ("net stop sharedaccess"). It now appears that with the MS05-019
hotfix a similar situation has arisen whereby TCP raw socket sends are
prevented, not only in SP2 but also SP1 (and probably SP0). This does
*not* seem to be able to be overcome by stopping the firewall service(s).
I don't know if this was intentional but I don't see any reference to
this behavior.
Incidentally, with Windows Server 2003 MS had "accidentally" also
disabled TCP raw socket sends as with XP SP2 until they were notified of
this unintentional regression and "fixed" it in RC2 and the final
release. One wonders whether they "accidentally" used a component from
XP SP2 in this hotfix causing this undesirable behavior.
-- Robin -- NTBugtraq Editor's Note: Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. --
