MS05-019 Windows XP SP1 issues with raw sockets (nmap problems) and MTU
powz...@myalias.postalias
KB 898060 (as well as for WS2003 SP1). I have several questions:
- will the MS05-019 bulletin be updated with these issues (still listed as
1.0 as of 2005-04-26 08:33 PST)?
- is Microsoft planning on reissuing a new binary fix for MS05-019 after KB
898060 has undergone the necessary regression testing?
- is a new binary fix planned to be released out of cycle, or do we have to
wait until May 10 2005?
- are raw sockets enabled in the XP SP1 version of KB 898060?
- could advanced users request an alternate patch version that enables raw
sockets under XP SP2?
Disabling raw sockets is a serious issue for nmap users, and Microsoft's
suggestion to use Windows Server 2003 is not practical for many users (RAM
requirements for VPC is my biggest problem).
GeeB
They didn't update the bulletin, but they did update the KB noted in the
'Caveats' section. This KB now notes 2 more issues with the patch (one being
yours).
Amanda Wang [MSFT]
Per your description, he seems have some questions regarding
http://support.microsoft.com/?kbid=898060
and http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx
For these questions, I have submitted to related department and am waiting
for reply.
For the current situation, I would ask some of your questions as following:
- will the MS05-019 bulletin be updated with these issues (still listed as
1.0 as of 2005-04-26 08:33 PST)?
No recently.
- is Microsoft planning on reissuing a new binary fix for MS05-019 after
KB898060 has undergone the necessary regression testing?
- is a new binary fix planned to be released out of cycle, or do we have
to wait until May 10 2005?
Not yet determined.
1. Re-Release involves huge customer download; there will may not be a
release of MS05-19.
2. We are currently evaluating if there is a need.
3. This hotfix contains MS05-19, and this fix has hotfix level testing.
4. You can get the hotfix from PSS.
So, I would recommend the hotfix which includes MS05-019.
- are raw sockets enabled in the XP SP1 version of KB 898060?
- could advanced users request an alternate patch version that enables raw
sockets under XP SP2?
These two questions I'm contacting our related department and waiting for
reply. I will give the answers after getting the response from there as
soon as possible.
HTH!
Thanks & Regards
Amanda Wang [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================================
--------------------
>From: <powz...@myalias.postalias>
>Subject: MS05-019 Windows XP SP1 issues with raw sockets (nmap problems)
and MTU
>Date: Tue, 26 Apr 2005 08:38:47 -0700
>Lines: 18
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>Message-ID: <uretVYnS...@TK2MSFTNGP14.phx.gbl>
>Newsgroups: microsoft.public.security,microsoft.public.windowsxp.general
>NNTP-Posting-Host: dhcpool201e-002.coph.arizona.edu 128.196.187.52
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.general:375842
microsoft.public.security:23148
>X-Tomcat-NG: microsoft.public.security
Amanda Wang [MSFT]
About the following two questions:
- are raw sockets enabled in the XP SP1 version of KB 898060?
- could advanced users request an alternate patch version that enables raw
sockets under XP SP2?
I would like give you some information to refer to:
In the security update MS05-019 there has been a change to RAW sockets
functionality on Microsoft Windows XP SP1 in the default configuration,
when Internet Connection Firewall (ICF) is disabled. After installation of
the security update MS05-019, it is not possible any more to send manually
crafted TCP and some UDP packets over RAW sockets. Some networking
applications and tools, such as network scanners that rely on this
functionality may stop working after installation of the update.
The same behavior is a part of Microsoft Windows XP Service Pack 2
specification
(http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.msp
x#EHAA).
The users using such tools that rely on RAW sockets functionality in a long
term shall consider migration to Windows Server 2003 platform, which has no
limitations on RAW sockets functionality.
Workaround:
Enable and start Internet Connection Firewall. When ICF is started on
Microsoft Windows XP SP1 with the update MS05-019 installed it is possible
to send TCP/UDP packets over RAW sockets
Raw sockets limitation was a security feature added to Windows XP SP2 and
has been back ported into the source tree that is used to build hotfixes
for the XP SP1a rev of Windows. Additional information regarding the
implementation of the raw sockets limitation can be found in the following
except from the Changes to
Functionality in Microsoft Windows XP Service Pack 2 article:
"Restricted traffic over raw sockets
Detailed description
A very small number of Windows applications make use of raw IP sockets,
which provide an industry-standard way for applications to create TCP/IP
packets with fewer integrity and security checks by the TCP/IP stack. The
Windows implementation of TCP/IP still supports receiving traffic on raw IP
sockets. However, the ability to send traffic over raw sockets has been
restricted in two ways:
TCP data cannot be sent over raw sockets.
UDP datagrams with invalid source addresses cannot be sent over raw
sockets. The IP source address for any outgoing UDP datagram must exist on
a network interface or the datagram is dropped.
Why is this change important? What threats does it help mitigate?
This change limits the ability of malicious code to create distributed
denial-of-service attacks and limits the ability to send spoofed packets,
which are
TCP/IP packets with a forged source IP address."
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk.mspx
Following are the Info on MS05-019
------------------------------------------------
- This security update supports a new registry key, MaxIcmpHostRoutes.
This value restricts the number of host routes that can be added to the
local IP
route table by receiving ICMP Redirect messages. By default, the maximum
number of
coexisting host routes is 1000. After the MaxIcmpHostRoutes entry is added,
the
maximum number of coexisting routes is value of this entry plus one. The
maximum
value of the MaxIcmpHostRoutes entry is 2,147,483,646.
896350 Security update 893066 introduces the MaxIcmpHostRoutes registry
entry
http://support.microsoft.com/?id=896350
------
- Changed TCP recieve window size to 17,520 bytes from the previous default
of
64k
In Microsoft Windows 2000 Service Pack 3 (SP3), the size of the TCP receive
window
is set to 64 KB on 100 megabits per second (Mbps) networks. This setting
may cause
frequent retransmissions. Consistent customer and product support feedback
suggested that the default size should be reverted to the pre-SP3 default
of 17
KB. Therefore, this change was released as a hotfix for affected customers.
Security update 893066 decreases the default size of the TCP receive window
to
17,520 bytes.
890345 Security update 893066 returns the default size of the TCP receive
http://support.microsoft.com/?id=890345
-------
- changes the way raw sockets work when Internet Connection Firewall (ICF)
is
disabled. By default, ICF is disabled in Microsoft Windows XP with SP1.
897656 Networking programs that send TCP packets or UDP packets over raw IP
http://support.microsoft.com/?id=897656
--------
- Regression in MS05-019 causes ICMP DEST UNREACHABLEs to be ignored
The issue we see in a network trace is that a packet is sent, and we
receive an
ICMP Destination Unreachable. Normally we'd resend the packet using a
smaller
size, but the bug causes the ICMP to be ignored and usually the same packet
is sent
again.
The result is that the packet never reaches the destination, and the result
of this
could cause any number of problems. One test we used, was to try a NET USE
from
the problem machine to another server on the other side of a router. Since
our
Session Setup required more than one MTU, we received the ICMP packet.
HTH!
Thanks & Regards
Amanda Wang [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================================
--------------------
>X-Tomcat-ID: 279975387
>References: <uretVYnS...@TK2MSFTNGP14.phx.gbl>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>From: v-am...@online.microsoft.com (Amanda Wang [MSFT])
>Organization: Microsoft
>Date: Wed, 27 Apr 2005 13:18:30 GMT
>Subject: RE: MS05-019 Windows XP SP1 issues with raw sockets (nmap
problems) and MTU
>X-Tomcat-NG: microsoft.public.security
>Message-ID: <nml5cuyS...@TK2MSFTNGXA02.phx.gbl>
>Newsgroups: microsoft.public.security
>Lines: 87
>Path: TK2MSFTNGXA02.phx.gbl
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.security:72944
>NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182