posted by steve | Category: Current Projects |

Need more proof that security is simply not a priority at Microsoft? Today it came out that both Windows XP Professional with SP2 and Windows Server 2003 are vulnerable to an old, old, old,, and incredibly enough, previously-patched flaw in their TCP stack. The attack, called a LAND attack, causes a DoS condition against the operating systems.

Of course, it’s only applicable if XP SP2 isn’t running the Windows firewall but that’s the case within many (most?) corporate networks today. In addition, Windows Server 2003 is certainly not running with its own firewall, though is probably hidden behind an external firewall. However, if that server happens to be running a public web server, it’s vulnerable to this attack.

Microsoft was notified 10 days ago about this vulnerability and has done nothing about it, no fix, not even an announcement. Meanwhile, you can bet that folks everywhere are working on simple scripts to do this across entire subnets. To mitigate the risk, the only option would be to stop running Windows.