Windows XP Exploit Shuts Off Windows Firewall

By Ryan Naraine  |  Posted 2006-10-31 Email Print this article Print

Proof-of-concept exploits have been released for a denial-of-service vulnerability in fully patched versions of Windows XP SP2.

Detailed exploit code for a Windows XP security vulnerability has been published on the Internet, offering a roadmap for hackers to disable the firewall embedded in the operating system.

Microsoft on Oct. 31 confirmed it is investigating the issue, which targets ICS (Internet Connection Sharing), a feature in Windows XP that lets users share a dial-up or broadband connection with other users on a home network.

A spokesperson for the Redmond, Wash., software giant said the risk is minimized because ICS is disabled by default in Windows XP.

"In addition, once enabled, an attacker could only attempt to exploit this issue from the user's local network: It cannot be remotely exploited," the spokesperson said in a statement sent to eWEEK.

The company said it is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time.

"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs," the spokesperson added.

Click here to read more about a Vista rootkit exploit.

Security alerts aggregator Secunia rates the bug as "less critical" and recommends that Windows XP users find an alternative way to share the Internet connection.

The vulnerability is caused due to a NULL pointer dereference error in Windows NAT Helper Components (ipnathlp.dll) and can be exploited to crash the service via a specially crafted DNS query.

At least two versions of proof-of-concept exploits have been Milw0rm Web site.

Successful exploitation requires that Internet Connection Sharing is enabled and the query is received from a client on the shared network interface.

Check out's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters