Windows Server 2003 shipped in April with drivers afflicted by the Etherleak bug, first identified in January
Several third-party device drivers that ship with Windows Server 2003 contain a vulnerability that causes them to leak potentially sensitive data during TCP transmissions.
Security experts have criticised many of the vendors for failing to act quickly enough to guide users to fixes, and said the flaw could lead to attacks through local area networks (LANs).
The so-called Etherleak flaw, first highlighted in January, occurs when messages transmitted between two machines are padded with arbitrary data in order to bring their byte size in line with the accepted standard. When Ethernet frames do not meet the minimum size requirement specified by the standard, the device drivers pad the frames with data pulled from previously used buffers. This means that whatever information was in that buffer is then sent as part of the new transmission.
News source: vnunet.com