Flaws expose Win Server 2003

April launch included drivers afflicted by January-discovered Etherleak bug

Several third-party device drivers that ship with Windows Server 2003 contain a vulnerability that causes them to leak potentially sensitive data during TCP transmissions.

Security experts have criticised many of the vendors for failing to act quickly enough to guide users to fixes, and warned that the flaw could lead to attacks through local area networks (Lans).

The so-called Etherleak flaw, first identified in January, occurs when messages transmitted between two machines are padded with arbitrary data in order to bring their byte size in line with the accepted standard.

When Ethernet frames do not meet the minimum size requirement specified by the standard, the device drivers pad the frames with data pulled from previously used buffers.

This means that whatever information was in that buffer is then sent as part of the new transmission.

Researchers from security consultancy NGS Software explained that the problem was at its worst during the closure of a TCP connection when the FIN and ACK packets are exchanged.

During such exchanges, the researchers were able to observe email passwords.

Chris Taget, a senior security consultant at NGS Software, warned that the vulnerability could be extremely serious.

"If you are running a web server on the internet it will not be a problem, but if you are running a server containing sensitive data on a local network which other people are on, it could be a big problem," he said.

"Users on the same Lan could receive passwords and sensitive information about the server."

Taget suggested that if firms are in doubt they should contact their network card vendors immediately.

"IT directors should find out whether their vendors have updated the driver to resolve the issue," he said.

"The problem is that many vendors have not contacted [security advisory body] Cert to declare whether their products are vulnerable or not."

Taget explained that Microsoft had been in a no-win situation when certifying third-party drivers for Windows Server 2003.

"Microsoft is now getting flack for signing off third-party drivers, but would also get flack for refusing to certify drivers that support hardware," he said.

There are several drivers affected by the TCP version of this vulnerability, including those for AMD's PCNet network cards and Via Technologies' Rhine II-compatible network cards, according to a bulletin from NGS Software.

Both of these drivers are digitally signed by Microsoft and are included on the Windows Server 2003 installation CD.

The news followed last week's release of the first patch for Windows server 2003, which plugged a flaw in Internet Explorer 5.01, 5.5 and 6.0 on all Windows platforms. The flaw could allow the execution of malicious code on a vulnerable machine.

Microsoft assured customers that the operating system itself is still sound, and that the bug is in a related application rather than in the operating system.