Posted on threatpost.com, September 8, 2009, 11:10 AM By Dennis Fisher

Vendors are finally releasing patches today for the TCP vulnerabilities first publicized nearly a year ago that affect a huge range of networking products, including any device running a version of Cisco's IOS software, and a number of Microsoft server and desktop operating systems. Both Microsoft and Cisco released fixes for the vulnerabilities on Tuesday.

The Microsoft Patch Tuesday release included the fix for the TCP flaw, which affects Windows Server 2003 and 2008, as well as Windows Vista, both the 32-bit and 64-bit editions, and Windows 2000 SP4, for which there is no fix coming. The Microsoft bulletin is rated critical.

"The security update addresses the vulnerabilities by dropping existing TCP connections adaptively and limiting the number of new TCP connections until system resources are restored, and changing the manner in which TCP/IP packets are processed," Microsoft's bulletin says.

On Tuesday Cisco also released patches for the TCP flaw, which the company said affects every version of its IOS operating system.

"By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system. In addition to these vulnerabilities, Cisco Nexus 5000 devices contain a TCP DoS vulnerability that may result in a system crash," Cisco said.

The TCP flaws were identified several years ago and were made public last year by two researchers at Outpost24, Jack C. Louis and Robert E. Lee. Louis, who has since died, developed a tool called Sockstress which tested for the flaw and was able to maintain extremely long-term TCP connections with remote machines using very little bandwidth. Louis and Lee notified vendors about the problems in 2008, but the process of fixing the vulnerability was a long one, given the huge number of vendors and products affected.

Cisco and Microsoft are only two of the vendors affected by the vulnerability, but now that the details of the problem have become public, it may be sooner rather than later that other vendors release their own fixes.

(Posted on zdnet, November 20, 2007)

I noticed that the Beta 1 for Firefox 3.0 was made available sometime yesterday. I’ve been curious as to whether the Firefox dev team would do a serious revamp for this release or just concentrate on bug fixes and performance improvements. Early indications seem to suggest that it is indeed a major revamp of both the core and the UI, and that Firefox will be a much better browser for it.

I’m not a big Firefox user because I find the memory management to be very poor most of the time and the spiraling memory consumption affects both Firefox’s performance and the overall performance of my systems. I like Firefox but Firefox just doesn’t like me, so, while I have it installed on most systems, I mostly use Internet Explorer 7 and Opera for day to day browsing. Every time I say this I’m faced by a chorus of users telling me that there’s no problem with the way that Firefox handles memory, but this isn’t what I’m seeing. When a browser starts to edge near to consuming 500MB of RAM on a regular basis, something is wrong. Sure, I hammer the browser and have dozens of pages open at a time, but since both IE and Opera can handle this load, I expect Firefox to do so too. So far, it can’t, and because of that the icon doesn’t get clicked on that often.

Over the past few years I’ve felt that Firefox has lost its way and moved too far away from its roots. Firefox used to be about security and performance, but lately I’ve felt that add-ons and junking up the interface with eye-candy has taken priority over security and core stability.

Is Firefox 3.0 going to be better? Given what I’m seeing so far, I think so. Why? Because it looks like Mozilla have gone back to basics and worked on what really matters to users - security, speed and ease of use.

Everything about Firefox 3.0 beta 1 is fast. The download package is small which means that it comes in fast, the installation is fast, the browser fires up fast, pages and tabs open fast, the browser shuts down fast, and the uninstall process is fast and painless (I always like to test the uninstall process on applications because there’s nothing worse than having a bad house guest on your system that you can’t get rid of). This is all good stuff.

Without a doubt the Firefox 3.0 UI has been dramatically improved. Compare version 3 to version 2 and you instantly see the difference. Everything is brighter, clearer, and easier to access. Things that should be simple, such as bookmarking, saving passwords, and finding words and phrases in the text of a web page are now simple. Page zooming is brilliant, as is the feature that resumes interrupted downloads.

Security is also greatly improved. Only time will tell if the core of Firefox 3.0 will be any more secure than previous versions, but without a doubt version 3 makes it harder for hackers to get a foothold into systems. Not only have the SSL error pages been redesigned, but there’s also malware and web forgery protection available. Add-on and plugin security has also been beefed up considerably. To top that off, Firefox integrates with your anti-virus app and with the Parental Controls feature in Windows Vista.

If you’re interested in taking Firefox 3.0 beta 1 for a spin, be sure to read the disclaimer:

Please note: We do not recommend that anyone other than developers and testers download the Firefox 3 Beta 1 milestone release. It is intended for testing purposes only.

I didn’t have any problems but your mileage may vary considerably.