Newtear

Description of Newtear

This DoS attack affects Windows 95 and Windows NT 4.0 machines.

The Newtear attack is a modified version of the Teardrop attack that appeared on the Internet approximately eight to nine months ago. Newtear exploits a problem with the way the Microsoft TCP/IP stack handles certain exceptions caused by misformed UDP header information. This situation does not occur in properly formed TCP/IP packets, and must be generated by a program with malicious intent.

Symptoms of Attack

When a Windows NT or Windows 95 machine receives one of these misformed UDP packets, it will cause either operating system to crash or hang. In most cases, users will see the Blue Screen of Death, which indicates that the system is in panic mode. While this attack is not harmful to a target machine in and of itself, any unsaved data in applications open at the time of the attack will almost certainly be lost. A simple reboot is usually sufficient to recover completely from the Newtear attack.

How can I fix this vulnerability?

The fix for this vulnerability is to patch all vulnerable machines. Patches for Windows NT 4.0, and Windows 95 are available.

Where can I read more about this?

You can read more about the Newtear attack, and other Out-Of-Band attacks, at Microsoft's Modified Teardrop Attack page. Also, visit Microsoft's Newtear2 page for more information about this vulnerability. Other good sources of information include IRChelp, EFnet's mIRC Nuke Information page and, for technical information and the source code for the Newtear program, visit Rootshell.

To keep abreast of existing and emerging Denial of Service attacks, and other security threats, visit the Microsoft Security Advisor, the Windows Central Bug Site, and/or CERT. If information on a specific attack is not located on these sites, keep checking back as they are updated frequently.