Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Microsoft Security

Microsoft, Cisco Finally Patch TCP DoS Flaw 114

Posted by kdawson from the who-needs-a-botnet dept.
Trailrunner7 writes "Today vendors are finally releasing patches for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities today. The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which no fix is coming. The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress that tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth."
This discussion has been archived. No new comments can be posted.

Microsoft, Cisco Finally Patch TCP DoS Flaw More

Microsoft, Cisco Finally Patch TCP DoS Flaw

Comments Filter:

  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Tuesday September 08, 2009 @06:00PM (#29358151)
    Comment removed based on user account deletion

  • what's the point of IOS? (Score:3, Insightful)

    by RelliK ( 4466 ) on Tuesday September 08, 2009 @06:02PM (#29358185)

    Obviously at the time IOS was designed, everyone would write their own special-purpose operating system for embedded devices. These days, wouldn't it make more sense to just scrap it and switch to Linux? Lots of other manufacturers are doing it (Linksys, Netgear, D-Link, etc.). This would certainly prevent this kind of embarassment.

  • Alternatively, just think of what would have happened if either of those giants had released a patch for something as fundamental as the TCP stack that introduced a new bug or worse hole; then automatically pushed it to millions of users. A year might be excessive, but considering the size of their userbases... I can understand it.

  • Re:Hey things take time. (Score:3, Insightful)

    by ThePhilips ( 752041 ) on Tuesday September 08, 2009 @07:02PM (#29358973) Homepage Journal

    Yes, absolutely. TCP is so complicated that only few engineers know precisely how it works and can patch the flaw. And probably it also lacks test tools. OMG. I'm so happy that it took them only a year.

    /sarcams

    WTF. Get real. TCP is studied and implemented as a lab assignment now in pretty much every university by all who in any way relate to network programming. Test tools and analyzers are abundant (both hardware and software) and can simulate pretty much any kind of load. There are even commercial companies selling (at size of MS and Cisco) for pennies ready suits of test cases for TCP.

    Longest way: rent an analyzer (2-4 weeks longest for it to get shipped to your office), buy a suit of test cases (0 days), run the tests (1-2 days, normally less), patch the hole (1-2 days), rerun the tests (1-2 days). IOW, if they really cared, they could have released a patch within 2-3 weeks. Heck, I have seen people implementing basic TCP quicker than that.

    This is simply another display of arrogance on part of big vendors. Nothing new here. Move on.

  • Re:what's the point of IOS? (Score:4, Insightful)

    by longfalcon ( 202977 ) on Tuesday September 08, 2009 @07:03PM (#29358979) Homepage

    are you kidding?

    Linksys was acquired by cisco.
    there is about as much difference between Linksys and cisco routers as there is between a weekend yacht and a freighter.

    IOS was designed to be an enterprise embedded solution, not for some Joe Bloggs out there who needs to hook up two computers to his cable connection.

  • Re:Hey things take time. (Score:5, Insightful)

    by Anonymous Coward on Tuesday September 08, 2009 @08:13PM (#29359675)

    WTF. Get real. TCP is studied and implemented as a lab assignment now ...

    Your point that TCP programming is practiced in abundance is well taken, but my experience has taught me that anything related to network programming in general, and TCP/IP implementations in particular (particularly where interoperability between your product and TCP stacks you've never seen before is concerned) is astoundingly difficult, and that anyone who believes that they've got all the bases covered, that they've foreseen everything that could go wrong, and that they're in the clear because their tests indicates that all their stuff is RFC-compliant will be the first to get their asses kicked hard after they release their product.

  • Re:It was a joint release date (Score:1, Insightful)

    by Anonymous Coward on Tuesday September 08, 2009 @08:20PM (#29359739)

    No, because I know that people who are willing to exploit the flaw already know how it works. For a start, you had to tell everyone in all the affected companies how it worked so they could fix it. And they told their sub contractors, who told some guy in India, who put in on his blog.

    I'd rather reward those that fixed it fast, or told me how to work around it. And if they don't, or can't, I'd rather know about it so I can do something myself.

    Put it this way, if I found out that most major manufacturers car's airbags could be remotely activated with, say, a cheap easy to build RF device, would you like me to not tell you about it for two years while the companies and their suppliers talk about it and organise to release a fix for it. All the while you are driving along not knowing that some in-the-loop terrorist is about to set of every airbag in the city, all at once?

    Or would you rather I tell you so you can choose not to drive the car?

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close