Patch for alert 1203/0 IP Fragment Overwrite

vijendran.packiam · ‎10-16-2012

I was unable to find the patches for the alert 1203/0 IP Fragment Overwrite.

When i go to the site "Microsoft IP Fragment Reassembly Patches".

I was unable to find patch for the Windows XP. If i go to the Windows NT4.0 Workstation i found out that the page cannot be found as well.

I need patch for Windows XP fof alert 1203/0 IP fragment Overwrite.Kindly assist on this please anyone.

wsulym · ‎10-16-2012

You don't see a windows XP patch because the vulnerability pre-dates XP's ship. If memory serves me correct (and a quick search showed nothing to the contrary), XP was not affected.

vijendran.packiam · ‎10-18-2012

Dear wsulym,

Thanks for your feedback. Actually the windows that using is windows XP as well and they are detected alert 1203/0.

This is why i was finding patch for the windows XP. Is there any other solution for this problem?

wsulym · ‎10-19-2012

Perhaps I don;t understand what you are asking.

Are you seeing alerts generated with a destination address of a Windows XP workstation?

vijendran.packiam · ‎10-22-2012

Dear wsulym,

Actually source and destination is Windows XP workstation. Thats why i was wondering how come 1203/0 alert is detected in WIndows XP workstation and when i find the patch for this alert it show page requested cannot found.

Kindly advice please.Thanks...

wsulym · ‎10-22-2012

The signature fires because traffic matching what it detects is seen.

The vulnerability was disclosed prior to winXP releasing, winXP is not vulnerable to this.

Why 2 winXP endpoints are sending traffic that triggers the signature - don't know - we'd have to look at the traffic that is being passed and match that to the alert that's firing. If you feel that this there is a false positive, I ask that you capture traffic and provide the alert that fires during that capture and either open a TAC case, or submit it here:

http://tools.cisco.com/security/center/ipshome.x?i=12&shortna=ContactUS#ContactUS