Neowin.net

Windows Server 2003 shipped in April with drivers afflicted by the Etherleak bug, first identified in January

Several third-party device drivers that ship with Windows Server 2003 contain a vulnerability that causes them to leak potentially sensitive data during TCP transmissions.

Security experts have criticised many of the vendors for failing to act quickly enough to guide users to fixes, and said the flaw could lead to attacks through local area networks (LANs).

The so-called Etherleak flaw, first highlighted in January, occurs when messages transmitted between two machines are padded with arbitrary data in order to bring their byte size in line with the accepted standard. When Ethernet frames do not meet the minimum size requirement specified by the standard, the device drivers pad the frames with data pulled from previously used buffers. This means that whatever information was in that buffer is then sent as part of the new transmission.

News source: vnunet.com

Researchers from security consultancy NGSSoftware said the problem was at its worst during the closure of a TCP connection when the FIN and ACK packets are exchanged. During such exchanges, the researchers were able to observe email passwords.

Chris Taget, a senior security consultant at NGS Software, said that the vulnerability could be extremely serious to firms. "If you are running a web server on the internet it will not be a problem, but if you are running a server containing sensitive data on a local network which other people are on, it could be a big problem," he said. "Users on the same LAN could receive passwords and sensitive information about the server."

He said that if firms were in doubt they should contact their network card vendors immediately. "IT directors should find out if their vendors have updated the driver to resolve the issue," he said. "The problem is that many vendors have not contacted [security advisory body] Cert to declare whether their products are vulnerable or not."

Taget said Microsoft had been in a no-win situation when certifying third-party drivers for Windows Server 2003. "Microsoft is now getting flack for signing off third- party drivers, but would also get flack for refusing to certify drivers that support hardware," he said.

There are several drivers affected by the TCP version of this vulnerability, including those for Advanced Micro Devices PCNet network cards and Via Technologies Rhine II-compatible network cards, according to a bulletin from NGSSoftware. Both of these drivers are digitally signed by Microsoft and are included on the Windows Server 2003 installation CD.

The news followed last week's release of the first patch for Windows server 2003 to plug a flaw in Internet Explorer 5.01, 5.5 and 6 on all Windows platforms, which could allow the execution of malicious code on a vulnerable machine. Microsoft assured customers that the operating system itself is still sound and the bug is in a related application rather than in the operating system itself.