Stories
Slash Boxes
Comments

SoylentNews is people

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug

posted by chromas on Wednesday September 19 2018, @09:35AM   Printer-friendly
from the MS-DoS dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Microsoft released a security advisory about a denial-of-service vulnerability that could render multiple versions of Windows completely unresponsive and has no mitigation factors, the company says.

The vulnerability affects all versions of Windows 7 through 10 (including 8.1 RT), Server 2008, 2012, 2016, and Core Installations that don't have the latest set of security updates released as part of the September 2018 Patch Tuesday updates.

Tagged with the identification number CVE-2018-5391, the bug received the moniker FragmentSmack because it responds to IP fragmentation, a process that adjusts the packet size to fit the maximum transmission unit (MTU) at the receiving end.

IP fragmentation attacks are a known form of denial of service, where the victim computer receives multiple IP packets of a smaller size that are expected to be reassembled into their original form at the destination.

FragmentSmack is a TCP fragmentation type of attack, also known as a Teardrop attack, that prevents reassembling the packets on the recipient end. The vulnerability is as old as Windows 3.1 and 95, where it crashed the OS, but it was seen in the more recent Windows 7, too.

Why write all new bugs when you can just reboot old ones?

Source: https://www.bleepingcomputer.com/news/security/windows-systems-vulnerable-to-fragmentsmack-90s-like-dos-bug/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Runaway1956 on Wednesday September 19 2018, @09:55AM (2 children)

    by Runaway1956 (2926) on Wednesday September 19 2018, @09:55AM (#736959) Homepage Journal

    All systems are vulnerable, and we need to be reminded of that fact from time to time. But, "Windows Systems Vulnerable" gets redundant.

    --
    Abortion is the number one killed of children in the United States.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 4, Informative) by ledow on Wednesday September 19 2018, @10:03AM

    by ledow (5567) on Wednesday September 19 2018, @10:03AM (#736961) Homepage

    Indeed

    https://access.redhat.com/articles/3553061 [redhat.com]

    It does get me that we still don't do calculations on whether basic features can be used to amplify the impact of such an attack out of a reasonable range, or design protocols so that they don't result in "more data / calculation" than a fixed bound in the first place.

  • (Score: 2) by DannyB on Wednesday September 19 2018, @05:46PM

    by DannyB (5839) on Wednesday September 19 2018, @05:46PM (#737140) Journal

    a denial-of-service vulnerability that could render multiple versions of Windows completely unresponsive and has no mitigation factors

    Lots of things, even ordinary nominal usage can render Windows systems completely unresponsive and have no mitigation factors*.

    * other than upgrading to a REAL operating system

    --
    If you eat an entire cake without cutting it, you technically only had one piece.