DOCUMENT:Q238329 08-MAY-2002 [crossnet] TITLE :Malformed IGMP Packets May Promote "Denial of Service" Attack PRODUCT :Windows for Workgroups and Windows NT Networking Issues PROD/VER::3.0,4.0 OPER/SYS: KEYWORDS:kbnetwork osr2 win95 win98 win98se ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Server, Enterprise Edition version 4.0 - Microsoft Windows NT Server version 4.0, Terminal Server Edition - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows 98 Second Edition - Microsoft Windows CE Platform Builder, version 3.0 ------------------------------------------------------------------------------- SYMPTOMS ======== When a computer running Windows 95 or Windows 98 receives a fragmented Internet Group Management Protocol (IGMP) packet, the computer's performance may degrade or the computer may stop responding (hang) and require a reboot to restore functionality. Computers running Windows NT 4.0 are also affected by this issue, but other system components prevent any performance degradation. CAUSE ===== A fragmented IGMP packet may cause the TCP/IP stack to improperly gain access to invalid segments of the computer's memory. RESOLUTION ========== This patch is now available on the Windows Update Web site. NOTE: If Dial-Up Networking Update version 1.3 for Windows 95 is not installed, you will not be able to view this fix. Windows NT ---------- Windows NT Workstation 4.0; Windows NT Server 4.0; Windows NT Server, Enterprise Edition: A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem. This fix may receive additional testing at a later time, to further ensure product quality. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows NT 4.0 service pack that contains this fix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The English-language version of this fix should have the following file attributes or later: Date Time Size File name Platform -------------------------------------------------- 08/14/99 03:54p 150,800 Tcpip.sys x86 08/14/99 03:53p 274,032 Tcpip.sys Alpha This hotfix has been posted to the following Internet location as Igmpfixi.exe and Igmpfixa.exe.exe: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/IGMP-fix/ Terminal Server --------------- Windows NT Server 4.0, Terminal Server Edition: A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem. This fix may receive additional testing at a later time, to further ensure product quality. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows NT 4.0, Terminal Server Edition, service pack that contains this fix. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS NOTE: In special cases, charges that are normally incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. Normal support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The English-language version of this fix should have the following file attributes or later: Date Time Size File name Platform -------------------------------------------------- 09/01/99 03:28p 147,920 Tcpip.sys x86 09/01/99 03:34p 269,648 Tcpip.sys Alpha This hotfix has been posted to the following Internet location as Igmpfixi and Igmpfixa.exe: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP4/IGMP-fix/ Windows 98 ---------- The English-language version of this fix should have the following file attributes or later: Date Time Size File name Version Platform ---------------------------------------------------------------- 08/12/99 05:20p 75,769 Vip.386 4.10.1999 Windows 98 08/03/99 02:50p 80,409 Vip.386 4.10.2223 Windows 98 Second Edition This hotfix has been posted to the following Internet location as 3304up98.exe (Windows 98) and 3304upse.exe (Windows 98 Second Edition): http://www.microsoft.com/windows98/downloads/corporate.asp Windows CE Platform Builder --------------------------- A supported fix is now available from Microsoft as Windows CE 3.0 Core OS QFE 72. To resolve this problem immediately, access the Microsoft.com Download Center at the following Web site: http://www.microsoft.com/downloads/search.asp? After you connect to this Web page, click All Products for the product name. Click Windows CE for the operating system. Click All Downloads for Show Results For, and then click Date for Sort By. Click Find It to show a list of all released QFEs for the products. The English version of this package should have the following file attributes or later: Size File name -------------------------- 7,010,648 Wce30qfe72.exe The English version of this fix should contain the following files, with the listed file attributes or later: Date Time Size File Name Platform ---------------------------------------------------- 28/08/01 16:57 752,398 Ip.lib ARM720 (Debug) 28/08/01 16:52 602,798 Ip.lib ARM720 (Retail) 28/08/01 17:07 751,138 Ip.lib SA1100 (Debug) 28/08/01 17:02 601,594 Ip.lib SA1100 (Retail) 28/08/01 15:58 853,168 Ip.lib R3000 (Debug) 28/08/01 15:53 723,524 Ip.lib R3000 (Retail) 28/08/01 16:09 853,744 Ip.lib R4100 (Debug) 28/08/01 16:04 722,718 Ip.lib R4100 (Retail) 28/08/01 16:18 853,744 Ip.lib R4111 (Debug) 28/08/01 16:14 660,436 Ip.lib R4111 (Retail) 28/08/01 16:28 853,168 Ip.lib R4300 (Debug) 28/08/01 16:24 722,788 Ip.lib R4300 (Retail) 28/08/01 16:38 834,326 Ip.lib PPC403 (Debug) 28/08/01 16:33 637,792 Ip.lib PPC403 (Retail) 28/08/01 16:48 834,326 Ip.lib PPC821 (Debug) 28/08/01 16:43 637,792 Ip.lib PPC821 (Retail) 28/08/01 15:37 767,984 Ip.lib SH3 (Debug) 28/08/01 15:32 643,336 Ip.lib SH3 (Retail) 28/08/01 15:48 767,752 Ip.lib SH4 (Debug) 28/08/01 15:43 643,118 Ip.lib SH4 (Retail) 28/08/01 17:17 756,116 Ip.lib ARM720 (Debug) 28/08/01 17:12 632,204 Ip.lib ARM720 (Retail) 28/08/01 15:28 689,554 Ip.lib i486 (Debug) 28/08/01 15:23 532,528 Ip.lib i486 (Retail) Windows 95 ---------- The English-language version of this fix should have the following file attributes or later: Date Time Size File name Version Platform ---------------------------------------------------------------- 08/14/99 04:12p 75,873 Vip.386 4.10.1657 Windows 95 (all versions) This hotfix has been posted to the following Internet location as 3304up95.exe (Windows 95, all versions): http://www.microsoft.com/windows95/downloads/ NOTE: For Windows 95, this update requires the Dial-Up Networking 1.3 Performance and Security Update. To download the Dial-Up Networking 1.3 Performance and Security Update (Msdun13.exe), please go to the following Microsoft Web site: http://www.microsoft.com/windows95/downloads/contents/WURecommended/S_WUNetworking/dun13win95/Default.asp STATUS ====== Microsoft has confirmed this to be a problem in the Microsoft products that are listed at the beginning of this article. MORE INFORMATION ================ For more information about this vulnerability, see the following Microsoft Web site: http://www.microsoft.com/security/bulletins/ms99-034faq.asp For additional information about Windows 95 hotfixes, click the article number below to view the article in the Microsoft Knowledge Base: Q161020 Implementing Windows 95 Updates For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base: Q206071 General Information on Windows 98 and SE Hotfixes Additional query words: MS99-034 ====================================================================== Keywords : kbnetwork osr2 win95 win98 win98se Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search kbWinNTS400 kbNTTermServ400 kbNTTermServSearch kbAudDeveloper kbWin95search kbWin98search kbWin98SEsearch kbSDKSearch kbWinCESDKSearch kbWinCESearch kbZNotKeyword3 kbWinCESDK300 kbWin98 kbWin98SE Version : :3.0,4.0 Hardware : ALPHA x86 Issue type : kbbug Solution Type : kbfix ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.