Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (KB893066)

The kb893066 update resolves several newly-discovered, privately-reported and public vulnerabilities. The vulnerabilities are shown below:

Windows XP with Service Pack 1

IP Validation Vulnerability - Critical

A remote code execution vulnerability exists that could allow an attacker to send a specially crafted IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to remotely execute code. However, attempts to exploit this vulnerability would most likely result in a denial of service.

ICMP Connection Reset Vulnerability - Moderate

A denial of service vulnerability exists that could allow an attacker to send a specially crafted Internet Control Message Protocol (ICMP) message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections.

ICMP Path MTU Vulnerability - Moderate

A denial of service vulnerability exists that could allow an attacker to send a specially crafted Internet Control Message Protocol (ICMP) message to an affected system that could cause network performance to degrade and potentially stop the affected system from responding to requests.

TCP Connection Reset Vulnerability - Low

A denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections.

Windows XP with Service Pack 2

ICMP Connection Reset Vulnerability - Moderate

Spoofed Connection Request Vulnerability - Low

A denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP/IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.

-----------------

An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding.

I recommend that Windows XP users apply the update immediately! (This kb893066 security update requires Microsoft Windows XP Service Pack 1 or a later version.)

KB893066 - More Information

The Windows XP security update is packaged as a dual-mode package. Dual-mode packages contain files for the original version of Windows XP Service Pack 1 (SP1) and files for Windows XP Service Pack 2 (SP2).

File Name - Version - Date - Time - Size - Folder

Tcpip.sys - 5.1.2600.1630 - 23-Feb-2005 - 02:00 - 339,968 - SP1QFE

Tcpip.sys - 5.1.2600.2631 - 14-Mar-2005 - 00:55 - 359,808 - SP2GDR

Tcpip.sys - 5.1.2600.2631 - 14-Mar-2005 - 01:17 - 359,936 - SP2QFE

Updspapi.dll - 6.1.22.4 - 25-Feb-2005 - 03:35 - 371,936

(The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.)

When you install these security updates, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on your operating system:

Windows XP SP1

The installer copies the SP1QFE files to your system.

Windows XP SP2

The installer copies the SP2QFE files to your system.

If you have not previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on your operating system:

Windows XP SP2

The installer copies the SP2GDR files to your system.

KB893066 - Verify Files:

You may be able to verify the files that this security update has installed by reviewing the following registry keys.

For Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893066\Filelist

KB893066 - Known Problems!

1) In Windows XP Service Pack 2, the Add or Remove Programs tool in Control Panel lists software updates. Add or Remove Programs lists software updates under the name of the product that they update. In Windows XP Service Pack 2, Add or Remove Programs will list this update under Windows XP – Software Updates. In Windows XP Service Pack 2, Add or Remove Programs will not show "Installed On" for this software update. Therefore, this software update does not show up in the order of installation. Instead, this software update shows at the top of the Windows XP – Software Updates list.

2) After you apply this security update, you may notice network performance degradation.

For more information, click here: kb890345 (You may notice that the performance of your network decreases after you apply security update kb893066)

3) This security update supports a new registry key, MaxIcmpHostRoutes.

For more information, click here: kb896350 (Security update kb893066 introduces the MaxIcmpHostRoutes registry entry.)

4) On computers that are running Microsoft Windows XP with Service Pack 1 (SP1), networking programs and tools that send manually crafted Transmission Control Protocol (TCP) packets over raw Internet Protocol (IP) sockets may stop working. This behavior may also affect programs and tools that send User Datagram Protocol (UDP) packets.

For more information, click here: kb897656 (Networking programs that send TCP packets or UDP packets over raw IP sockets may stop working after you apply security update MS05-019 to a computer that is running Windows XP with Service Pack 1)

KB893066 - Extra Discussion Point...

Windows XP SP2 introduces a few new "twists" to TCP/IP in order to help users and "reduce the threat" of worms spreading fast without control! (More here)

One such "fix" Microsoft have introduced is to limit the number of possible TCP connection attempts per second to 10 (from unlimited in SP1). This new feature can possibly affect server and P2P programs that need to open many outbound connections at the same time.

You only need to worry about the number of connection attempts per second if you have noticed a slowdown in network programs requiring a number of connections opened at once. You can check if you're hitting this limit from the Event Viewer - look for TCP/IP Warnings saying: "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts" Event ID 4224

Keep in mind this is a cap only on incomplete outbound connect attempts per second, NOT total connections. Still, running servers and P2P programs could lead to problems by having this new limitation. So a "counter fix" was created and made available at: Event ID 4226 Patcher v2.23 (The reason for a patcher file is that even though the setting was registry editable in XP SP1, it is now only possible to edit by changing it directly in the system file tcpip.sys - as explained in the Microsoft kb893066)

Of course for those that used this Patcher file will now find things are back to where they were... So by running this patcher again you should get around the problem...

BUT that is an unofficial fix to the issue (if you are having it.)

Microsoft have issued this article for those who need a "Fix". kb898060

HOWEVER a quick work around this problem is to set the default MTU size to the largest size that the routers can process. The actual MTU value that is required to work around this problem depends on the network configuration. However, an MTU value of 576 should help reduce the effect of the problem because routers on the Internet should be able to handle such packets without fragmentation.

Important Setting a low default MTU value can slow down the network performance.

Was this article on kb893066 was useful?

Have you signed up for my popular Windows XP Newsletter below?

Enjoy the rest of site and remember if you have a query about this site or a comment to make then drop me a line at the Contact Page

Finally a quality XP Newsletter!

FACT: There are dozens of Windows XP newsletters - BUT this one is different!

Find out more here: XP Newsletter

Kind Regards

Marc Liron - Bio
Microsoft Digital Media MVP
Your Guide to using Windows XP
A Unique Windows XP Newsletter? Sign Up Now!
- Make sure you get your FREE tips and advice...

The views on this website are my own and NOT that of Microsoft!
I am not responsible for the content of any sites linked to.
ALL Trademarks are freely acknowledged
ALL information is provided "As Is"

This page was last updated 25th April 2005

KB893066

More Articles at the Main Article Index