You have probably heard by now that there is a new (zero-day) exploit in the wild that can disable the Microsoft Personal Firewall. Details can be found here:
http://blog.ncircle.com/archives/2006/10/new_microsoft_r.htm The reason I'm posting this, is that the exploit abuses a bug in a DNS message parser in ICS, details are here: http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm Most importantly: How does the DoS work? When the Additional RRs (aka Additional Information) section of the DNS Datagram contains two null bytes an error occurs at the instruction "mov dl,byte ptr [eax]". This causes the service and it's host process (svchost.exe) to die. One thing to remember is that the ICS service is tied to the Firewall service. If ICS dies so does your firewall. I'm worried about the scale of things here. What I'm interested in is: 1) Which resolver implementations blindly passes received messages (including the two null bytes) to the client. I haven't tested this, since I'm fairly busy preparing for the upcoming IETF, but I'm really interested if any of the implementers on this list could respond. 2) Does the ICS DNS proxy blindly parse unsolicited DNS response messages. If this is the case, than the attack efficiency scales up tremendously. Roy . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
