DoS exploit for Windows XP firewall, ICS in the wild

Windows XP platforms running a shared internet access service are at risk from an in-the-wild remote DoS exploit, vulnerability management firm nCircle reported Sunday.

"When the (additional information) section of the DNS Datagram contains two null bytes, an error occurs at the instruction "mov dl, eax," nCircle's Tyler Reguly said on the company blog. "This causes the service and its host process (svchost.exe) to die."

The attack exploits the Windows Firewall/Internet Connection Sharing Service (ICS), according to researcher Patrick Nolan, posting on the SANS Internet Storm Center website.

ICS lets a Windows computer share its internet connection with other computers running on local area networks. It provides "network address translation between the public and private networks. ICS also provides DHCP (dynamic host configuration protocol) for the private network," according to the Microsoft Windows Server TechCenter website.

Reguly said disabling ICS can help solve the vulnerability. Users can determine whether they are running the service by typing ‘sc query sharedaccess' at a command prompt, according to SANS.

A Microsoft spokesperson told today that the Redmond, Wash. firm is not aware of any attacks using the exploit, which only affects Windows XP users with ICS enabled.

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.