OS flaws in leading software

OS flaws in leading software

Newly reported flaws in two market-leading sets of operating systems could leave routers, PCs and servers vulnerable to attack.

A buffer overrun in Microsoft Corp.'s remote procedure call interface to its Windows operating systems would let attackers execute code on a compromised machine. Microsoft called this vulnerability critical and posted downloadable patches at the Microsoft Download Center.

Cisco Systems Inc. of San Jose, Calif., today announced a problem with its Internetwork Operating System on the vast majority of Cisco devices operating in IP Version 4 environments. The flaw could fool routers and other devices into shutting down network interfaces. Cisco has released patches and workaround information in an advisory.

Microsoft's buffer overrun problem affects Windows NT 4.0, NT Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003. The Homeland Security Department this week announced a $110 million enterprisewide contract to license the latest Microsoft software (see story at www.gcn.com/vol1_no1/daily-updates/22743-1.html).

The X-Force laboratory of Internet Security Systems Inc. of Atlanta called the vulnerability 'an enormous threat. Exploitations of this vulnerability should not be considered trivial. Due to the potential impact, threats could quickly surface.'

The Cisco flaw affects IOS versions 11 and 12 through 12.2. Versions 12.3 and higher are not affected, and devices operating only in IPv6 environments should not be vulnerable, either.

Devices running the affected software can be fooled by a specific sequence of abnormal IPv4 packets into thinking that the input queue for a network interface is full, so they shut down routing and address resolution protocols. Vulnerable Cisco devices can be specifically targeted, or attacks could be broadcast, the X-Force group said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • senior center (vuqarali/Shutterstock.com)

    Bmore Responsive: Home-grown emergency response coordination

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/Shutterstock.com)

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected