Microsoft patches 1990s-era 'Ping of Death'

Microsoft today issued 13 security updates that patched 22 vulnerabilities in Internet Explorer, Windows, Office and other software, including one that harked back two decades to something dubbed "Ping of Death."

Researchers today called out MS11-057, which patches seven flaws in Internet Explorer, as the most important to patch pronto.

Today's IE update was the second to patch critical vulnerabilities in IE9 on Vista and Windows 7. Microsoft first fixed a critical IE9 bug in June.

"MS11-057 affects all Windows versions, and all it takes is a malicious [Web] page to take control of a PC," echoed Wolfgang Kandek, chief research officer for Qualys. "It's a no-brainer to put this at the top of the list."

Pair of vulnerabilities in Microsoft's DNS service

That update patches a pair of vulnerabilities in Microsoft's DNS service, which is used by many organizations to translate Internet addresses into the domains recognizable to humans.

Microsoft ranked one of the MS11-058 bugs as critical on Windows Server 2008 and Server 2008 R2 when running the DNS service, and warned that attackers could remotely exploit such servers simply by sending it a malformed query.

"[That] could potentially allow an attacker who successfully exploited the vulnerability to run arbitrary code on Windows Server 2008 and Windows Server 2008 R2 DNS servers having a particular DNS configuration," said Microsoft in a follow-up post to its Security Technology & Defense blog today.

"This is significant, as the majority of organizations running Microsoft-based networks do have DNS activated on their servers," said Marcus Carey, a security researcher with Rapid7, in an email today.

Unlike other researchers, nCircle's Storms had a different pick for second place: MS11-064, an update that patched two bugs in the Windows TCP/IP stack.

The Ping of Death from the early-to-mid 1990s

"This looks like the "Ping of Death" from the early-to-mid 1990s," said Storms. "At the time, when a specially-crafted ping request was sent to a host, it caused the Windows PC to blue screen, and next reboot."

Two decades ago, the Ping of Death was used to bring down Windows PCs remotely, often as a way to show the instability of the operating system. "People would say, 'You're stupid to put your machines on the Internet," said Storms.

"My suspicion is that if this catches fire and someone writes a small attack tool and releases it, you could see [Windows PCs] blue screened at your local coffee shop," Storms said, talking about the opportunity of crashing machines on a free Wi-Fi network.

The bug exists in Windows Vista

The bug exists in Windows Vista, Server 2008, Windows 7 and Server 2008 R2, Microsoft said, however not in Windows XP or Server 2003.

Microsoft as well patched other vulnerabilities in Windows, including several two in remote access elements of the OS and one in the kernel, as so then as bugs in Visio, Visual Studio and the .Net Framework.

August's security patches can be downloaded and installed via the Microsoft Update and Windows Update services, as then as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general research breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.