New Windows exploit could disable firewall

Redmond (WA) - Security researchers have discovered a new Windows flaw that could allow hackers to crash the built-in firewall. By sending malformed DNS packets to vulnerable machines, hackers could disable and eventually bypass the operating system firewall. So far only Windows XP computers with the Internet Connection Sharing (ICS) service turned on are affected by the attack.

Internet Connection Sharing is a service inherited from the early days of networking when hardware routers were rare and expensive. The service allows one computer to share an Internet connection with several internal computers. ICS creates an internal DHCP and DNS server to give IP addresses and domain name information to the internal network.

Ncircle’s Tyler Reguly has posted more information about the exploit on his company blog. He says the attack is directed at the virtual DNS server and must come from inside the internal network. Malformed DNS packets can crash the DNS server which causes a chain reaction and crashes ICS and then the firewall.

The new exploit shouldn’t be a major problem for most Windows users because the vulnerable ICS service must be explicitly turned on. The ICS menu option is located in a rather obscure spot under the Window’s network properties and is mainly tinkered with by MCSE students or very curious people. In addition, inexpensive modern routers, which split Internet connections and provide basic firewall services, have eliminated any need to use ICS.