Fragmented IGMP Packet May Promote "Denial of Service" Attack

ID: Q238329

The information in this article applies to:
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Server, Enterprise Edition version 4.0
  • Microsoft BackOffice Small Business Server version 4.0
  • Microsoft BackOffice Server version 4.0
  • Microsoft Windows NT Server version 4.0, Terminal Server Edition
  • Microsoft Windows 95
  • Microsoft Windows 95 OEM Service Release versions 1, 2, 2.1, 2.5
  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition

SYMPTOMS

When a computer running Windows 95 or Windows 98 receives a fragmented Internet Group Management Protocol (IGMP) packet, the computer's performance may degrade or the computer may stop responding (hang) and require a reboot to restore functionality.
Computers running Windows NT 4.0 are also affected by this issue, but other system components prevent any performance degradation.


CAUSE

A fragmented IGMP packet may cause the TCP/IP stack to improperly gain access to invalid segments of the computer's memory.


RESOLUTION

This patch is now available on the Windows Update Web site.

NOTE: If Dial-Up Networking Update version 1.3 for Windows 95 is not installed, you will not be able to view this fix.

Windows NT

Windows NT Workstation 4.0; Windows NT Server 4.0; Windows NT Server, Enterprise Edition:

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4.0 service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:
http://www.microsoft.com/support/supportnet/overview/overview.asp
The English-language version of this fix should have the following file attributes or later: 

   Date       Time     Size      File name   Platform
   --------------------------------------------------
   08/14/99   03:54p   150,800   Tcpip.sys   x86
   08/14/99   03:53p   274,032   Tcpip.sys   Alpha
This hotfix has been posted to the following Internet location as Igmpfixi.exe and Igmpfixa.exe.exe:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/IGMP-fix/

Terminal Server

Windows NT Server 4.0, Terminal Server Edition:

A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem. If you are not severely affected by this specific problem, Microsoft recommends that you wait for the next Windows NT 4.0, Terminal Server Edition, service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:
http://www.microsoft.com/support/supportnet/overview/overview.asp
The English-language version of this fix should have the following file attributes or later: 

   Date       Time     Size      File name   Platform
   --------------------------------------------------
   09/01/99   03:28p   147,920   Tcpip.sys   x86
   09/01/99   03:34p   269,648   Tcpip.sys   Alpha
This hotfix has been posted to the following Internet location as Igmpfixi and Igmpfixa.exe:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40TSE/hotfixes-postSP4/IGMP-fix/

Windows 98

The English-language version of this fix should have the following file attributes or later: 

   Date       Time      Size       File name  Version    Platform
   ----------------------------------------------------------------
   08/12/99   05:20p    75,769     Vip.386    4.10.1999  Windows 98
   08/03/99   02:50p    80,409     Vip.386    4.10.2223  Windows 98
                                                         Second Edition
This hotfix has been posted to the following Internet location as 3304up98.exe (Windows 98) and 3304upse.exe (Windows 98 Second Edition):
http://www.microsoft.com/windows98/downloads/corporate.asp

Windows 95

The English-language version of this fix should have the following file attributes or later: 

   Date       Time     Size      File name   Version     Platform
   ----------------------------------------------------------------
   08/14/99   04:12p   75,873    Vip.386     4.10.1657   Windows 95
                                                         (all versions)
This hotfix has been posted to the following Internet location as 3304up95.exe (Windows 95, all versions):

http://www.microsoft.com/windows95/downloads/
NOTE: For Windows 95, this update requires the Dial-Up Networking 1.3 Performance and Security Update. To download the Dial-Up Networking 1.3 Performance and Security Update (Msdun13.exe), please go to the following Microsoft Web site:
http://www.microsoft.com/windows95/downloads/contents/WURecommended/S_WUNetworking/dun13win95/Default.asp


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.


MORE INFORMATION

For more information about this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/security/bulletins/ms99-034faq.asp

Additional query words:

Keywords : kbnetwork osr2 win95 ntsecurity win98 ntsp kbbug4.00 kbfix4.00 win98se
Version : WINDOWS:95; winnt:4.0
Platform : WINDOWS winnt
Issue type : kbbug


Last Reviewed: November 3, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.