Microsoft Security Bulletin (MS99-046)

--------------------------------------



Patch Available to Improve TCP Initial Sequence Number Randomness

Originally Posted: October 22, 1999



Summary

=======

Microsoft has released a patch that significantly improves the randomness of

the TCP initial  sequence numbers (ISNs) generated by the TCP/IP stack in

Microsoft(r) Windows NT(r) 4.0.  Improving the randomness of ISNs eliminates

a class of potential attacks against Windows NT 4.0  systems.



Frequently asked questions regarding this vulnerability can be found

at http://www.microsoft.com/security/bulletins/MS99-046faq.asp.



Issue

=====

The ISNs used in TCP/IP sessions should be as random as possible in order to

prevent attacks such  as IP address spoofing and session hijacking. This

patch improves the randomness of the Windows  NT 4.0 TCP/IP ISN generation,

providing 15 bits of entropy.



Affected Software Versions

==========================

 - Microsoft Windows NT 4.0 Workstation

 - Microsoft Windows NT 4.0 Server

 - Microsoft Windows NT 4.0 Server, Enterprise Edition

 - Microsoft Windows NT 4.0 Server, Terminal Server Edition



Patch Availability

==================

 - x86:

   http://download.microsoft.com/download/winntsrv40/patch/

   4.0.1381.7014/nt4/en-us/q243835.exe

 - Alpha:

   http://download.microsoft.com/download/winntsrv40/patch/

   4.0.1381.7014/alpha/en-us/q243835.exe



NOTE: Line breaks have been inserted into the above URLs for readability.



More Information

================

Please see the following references for more information related to this

issue.

 - Microsoft Security Bulletin MS99-046: Frequently Asked Questions,

   http://www.microsoft.com/security/bulletins/MS99-046faq.asp.

 - Microsoft Knowledge Base (KB) article Q243835,

   How to Prevent Predictable TCP/IP Initial Sequence Numbers,

   http://support.microsoft.com/support/kb/articles/q243/8/35.asp.

   (Note: It may take 24 hours from the original posting of this

   bulletin for this KB article to be visible.)

 - CERT Advisory CA-95.01,

   Topic: IP Spoofing Attacks and Hijacked Terminal Connections,

   http://www.cert.org/advisories/

   CA-95.01.IP.spoofing.attacks.and.hijacked.terminal.connections.html.

   (Note: A line break has been inserted into the above URL for readability)

 - Microsoft Security Advisor web site,

   http://www.microsoft.com/security/default.asp.



Obtaining Support on this Issue

===============================

This is a fully supported patch. Information on contacting Microsoft

Technical Support is available at

http://support.microsoft.com/support/contact/default.asp.



Acknowledgments

===============

Microsoft acknowledges National Bank of Kuwait for bringing this issue to

our attention.



Revisions

=========

 - October 22, 1999: Bulletin Created.



-----------------------------------------------------------------------



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"

WITHOUT WARRANTY OF  ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER

EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES  OF MERCHANTABILITY AND FITNESS

FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION  OR ITS

SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,

INCIDENTAL,  CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,

EVEN IF MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE  EXCLUSION OR

LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE

FOREGOING  LIMITATION MAY NOT APPLY.



(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.