Microsoft Security flaws and fixes

Discussion in 'other security issues & news' started by peakaboo, May 23, 2003.

Thread Status:
Not open for further replies.
  1. peakaboo

    peakaboo Registered Member

    Oct 20, 2002

    ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines.

    ZDNET article here Headline excerpt: Hackers may be snooping on you

    Article Excerpt: Companies and users of broadband modems beware: Malicious hackers may be "listening" in on your computer's conversation across the Internet.

    Full Detail Advisory: IRDP Default Route Assignment

    Excerpt: By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system.

    Fix for above flaw (FYI I have not tried it yet):

    DHCP fix provided by Analogx

    Also see Full Detail Advisory there are 2 suggested fixes there (or view next post). The registry key fix is probably what is being done by Analogx fix.

    I ran across the DHCP fix at Analogx and followed the links to the Advisory to get more info.

    Conclusion: If you own one of the above mentioned OS and are using broadband modem, you may want to look further into this flaw.
  2. peakaboo

    peakaboo Registered Member

    Oct 20, 2002
    I find it hilarious that in the above ZDnet article where they warn of snooping, that the article has an iframe doubleclick ad/tracking link (located to the right of "A slight detour for Data". :eek:

    Also wanted to include the 08.11.99 atstake summary advisory which will lead you to the detail advisory in the above post, but also provides a Demonstration of sample code.

    Finally wanted to add the fixes from the full details advisory noted in the 1st post:

    Fixes / Work-arounds

    Firewall / Routers:
       Block all ICMP Type 9 & Type 10 packets. This should protect
       against remote Denial of Service attacks.

       The Microsoft Knowledge Base contains an article that gives info
       on how to disable IRDP. It can be found at:
     Brief Summary of article:

       IRDP can be disabled manually by adding "PerformRouterDiscovery"
       value name and setting it to a dword value of 0, under the
       following registry key(s):


    Where #### is the binding for TCP/IP. More than one TCP/IP
       binding may exist.

       Configure your host to obtain a default gateway through DHCP,
       static routes, or via the /etc/defaultrouter file. For more
       information on IRDP refer to in.rdisc's man-page.
Thread Status:
Not open for further replies.