Recent Windows NT and Windows 95 Flaws, from SANS Digest

[Following reprinted with permission from SANS Network Security Digest, Vol. 1, No. 6., August 10, 1997. For subscription information, send e-mail to: ]


The Microsoft Security page is located at:

Additional NT Security Related web pages may be found at:

A) Denial of Service Attack in Microsoft IIS for NT 4.0 - (6/30)

By sending a request with a URL of a certain length (typically between 4 and 8K) you can cause an access server violation which requires a reboot to fix. Unsaved data may be lost. Microsoft has provided a patch for this problem. Exploits for this problem have been published on the Internet.

This problem effects Versions 2.0 and 3.0 on NT systems running 4.0.

For more information see the CIAC bulletin at:

B) Denial of Service Attack on Windows/NT using ICMP - (7/2)

This problem is similar to the Ping of Death attacks discussed earlier this year. By sending a corrupt ICMP packet you can cause a Windows/NT system to freeze and require a reboot.

Patches are available at fixes/usa/NT40/hotfixes-postSP3/icmp-fix

For more information see the CIAC bulletin at:

C) Bug fixes released for NT3.51 (7/26)

Patches fix two known security problems [Q143474 - Anonymous login user (Red Button) and Q161372 - SMB signing to prevent "Man in the middle" attacks.] Fixes are available at: usa/NT351/hotfixes-postSP5/sec-fix

D) Kernel Routine Error in NT 4.0 Service Pack 3.0 - (7/4)

A program called getadmin.exe, which has been distributed on the Internet, grants administrative privileges to normal users. The program takes advantage of a bug in a low-level kernel routine.

Microsoft has published a fix for this problem: hotfixes-postSP3/getadmin-fix

Later discussions on bugtraq revealed this patch did not fix the problem entirely. Additional information on the vulnerability can be found at:

E) Yet Another Netscape Communicator Bug (7/25)

The latest version of Communicator (4.0.1a) was supposed to correct a security bug discovered in June. However, there is a flaw in the way LiveConnect has been implemented in 4.0.1a. The end result is similar to the situation with the previous bug: a malicious user can monitor all of your web activity. For more information, see the article at:

F) A New Fragmentation Attack (Win NT)

When reassembling a fragmented IP packet, the Microsoft implementation does not require the first fragment to have an offset value of zero. It merely checks whether the sum of the lengths of the collected fragments equals the total length of the original unfragmented IP packet. If enough fragments have been received so that this condition holds, the NT stack will happily reassemble what it has accumulated so far. This problem has been fixed with Service Pack 3. For more information see: