OS flaws in leading software

OS flaws in leading software

Newly reported flaws in two market-leading sets of operating systems could leave routers, PCs and servers vulnerable to attack.

A buffer overrun in Microsoft Corp.'s remote procedure call interface to its Windows operating systems would let attackers execute code on a compromised machine. Microsoft called this vulnerability critical and posted downloadable patches at the Microsoft Download Center.

Cisco Systems Inc. of San Jose, Calif., today announced a problem with its Internetwork Operating System on the vast majority of Cisco devices operating in IP Version 4 environments. The flaw could fool routers and other devices into shutting down network interfaces. Cisco has released patches and workaround information in an advisory.

Microsoft's buffer overrun problem affects Windows NT 4.0, NT Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003. The Homeland Security Department this week announced a $110 million enterprisewide contract to license the latest Microsoft software (see story at www.gcn.com/vol1_no1/daily-updates/22743-1.html).

The X-Force laboratory of Internet Security Systems Inc. of Atlanta called the vulnerability 'an enormous threat. Exploitations of this vulnerability should not be considered trivial. Due to the potential impact, threats could quickly surface.'

The Cisco flaw affects IOS versions 11 and 12 through 12.2. Versions 12.3 and higher are not affected, and devices operating only in IPv6 environments should not be vulnerable, either.

Devices running the affected software can be fooled by a specific sequence of abnormal IPv4 packets into thinking that the input queue for a network interface is full, so they shut down routing and address resolution protocols. Vulnerable Cisco devices can be specifically targeted, or attacks could be broadcast, the X-Force group said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected