Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

For only the second time, Microsoft will not release a security
bulletin this month. Meanwhile, a new denial of service (DoS) threat appears on
the horizon, but experts debate its level of risk.


Microsoft announced earlier this month that it has no plans
to release its regularly scheduled monthly security bulletin for March. (Of
course, a newfound vulnerability could always trigger an emergency release
later in the month.) Since the software giant began the monthly release practice
in October 2003, there has been only one other month—December 2003—when it
didn’t release a monthly security bulletin.

However, News.com did report a new DoS vulnerability
last week, as outlined by a posting
on the SecurityFocus industry forum site
. In the post, Dejan Levaja, who
identified himself as a system engineer in Belgrade, stated that he had
notified Microsoft of the vulnerability in late February and only decided to go
public with the information after receiving no response from the company.

The threat affects Windows Server 2003 and Windows XP systems
that have Support Pack 2 installed but the firewall turned off. These systems
are vulnerable to a “LAND attack,” which could cause a temporary DoS
attack that lasts for approximately 15 to 30 seconds.

A LAND attack (i.e., IP DoS) results from sending a
specially crafted packet to a machine where the source host/port is the same as
the destination host/port. The system attempts to reply to itself, resulting in
system lockup. While a 15- to 30-second outage may not sound too bad, Levaja
pointed out that the server isn’t the only thing to lock up—all workstations on
the network also freeze.

While Microsoft agreed that the vulnerability exists, it pointed
out that an attack would result only in a minor inconvenience and wouldn’t
present a significant threat. A researcher from the SANS
Internet Storm Center
came to essentially the same conclusion, pointing out
that XP is only vulnerable if you’ve
installed SP2.

For details about how to test for this vulnerability, check
out this diary entry at
the SANS Internet Storm Center


This vulnerability applies to all Windows Server 2003
systems and only Windows XP systems with SP2 installed.

Risk level – Moderate

While the potential LAND attack is annoying, it only
triggers a temporary DoS attack. In addition, it doesn’t require a reset to
regain control.

Mitigating factors

Microsoft’s firewall, included with XP SP2, will block the
attack if you haven’t disabled it.


Install or activate a firewall that blocks LAND attacks.

Final word

LAND attacks are nothing new, and they certainly aren’t
specific to Microsoft products. However, this is one more case of an old
vulnerability resurfacing as a new threat because of changes to new software.

I reminded you last week about the April 12 deadline for XP
SP2. If you don’t want SP2 to install automatically, you need to turn off XP’s
Automatic Update feature. Of course, with this week’s disclosure of the LAND
attack vulnerability, this takes on a new urgency, since the threat only
affects XP systems with SP2 installed.

Also watch for …

  • I’ve
    just got to stop writing about
    potential dangers here. Last time in
    this section
    , I pointed out that, while ChoicePoint was a well-known
    danger, even more obscure databases were much more dangerous if hackers
    breached their security. And wouldn’t you know it? Last week, CBSNews.com
    reported attackers
    had struck one of the LexisNexis databases
    , compromising approximately
    32,000 personal records.
    While corporate parent Reed Elsevier Group PLC was quick to point out that
    intruders didn’t access credit or medical histories, attackers did manage
    to steal social security numbers, names, addresses, and driver’s license
    numbers, so that assurance probably isn’t much comfort.
  • Last
    week, Microsoft released a new version of its Windows
    Malicious Software Removal Tool
    , which requires periodic updates due
    to the appearance of new malware variants.
  • F-secure
    has reported the existence of
    a new cell phone virus
    , “Commwarrior.” While the new virus
    has yet to wreak much havoc, it’s the first wireless virus that attacks
    through multimedia messages (including photos, sound, and video).
  • And
    finally, according
    to News.com
    , it is now officially illegal to reverse-engineer and/or
    publish security vulnerabilities in France.