Microsoft Squashes 20-Year-Old 'Ping of Death' Bug

Posted 08/10/2011 at 8:28am | by Paul Lilly

4

Comments

Print

Perhaps motivated by Duke Nukem Forever shipping after a decade-and-a-half of development and delays, Microsoft decided to finally patch a vulnerability dating back to the 1990s. Included in yesterday's Patch Tuesday bulletin bonanza is a little nugget listed as CVE-2011-1871, which according to ComputerWorld.com is a fix for the dreaded 'Ping of Death,' or at least it was dreaded some two decades ago.

Officially, CVE-2011-1871 describes "A denial of service vulnerability [that] exists in the Windows TCP/IP stack that is caused when the TCP/IP stack improperly handles a sequence of specially crafted ICMP messages. An attacker who successfully exploited this vulnerability could cause the target system to stop responding and automatically restart."

It was dubbed Ping of Death because hackers up to no good would ping target PCs with enlarged packets too big for the computer system to handle, causing the PC to lock up or a Blue Screen of Death (remember those?). You can view a YouTube video demonstrating the Ping of Death being used to being down a Windows 95 PC here (NSFW - language).

The latest round of Patch Tuesday updates address 22 vulnerabilities total, rolled up into 13 security updates. One of the bigger ones -- MS11-057 -- deals with Internet Explorer 9, patching seven security holes, some of which could be exploited by drive-by-downloads.