The vulnerability occurs in the so-called "initial sequence numbers," or ISN, computers use to reconstruct data sent over the Internet back into the original file. While some details had been released three months ago, the two papers point out deficiencies in the way such numbers are created by many operating systems, such as Microsoft's Windows 95 and Window 98 and Sun Microsystems' Solaris version of Unix.
The problem, said Jeffrey S. Havrilla, Internet security analyst for the CERT Coordination Center, a computer security organization based at Pittsburgh's Carnegie Mellon University, is that the Internet's fundamental data control mechanism known as TCP (transmission control protocol) was meant to improve reliability, not ensure security.
"TCP was designed to be a reliable protocol, and one to insure that it was designed to be somewhat predictable," he said.
That predictability could let an attacker guess the next number in a sequence, allowing him to send data to a victim's computer and masquerade as a legitimate connection. That could allow a network intruder to grab e-mail, monitor a chat exchange or simply use the connection to start a more complete compromise of the system.
The most recent vulnerability in the way that many operating systems generate the initial sequence numbers was originally outlined by Guardent, which only recently released its research on the topic.
But using the new method will not be easy, Havrilla said.
"In order to use the new vulnerability, you need to have a new set of tools to do the statistical analysis, and we haven't seen that sort of intelligence in the tools to date," he said.
According to the analysis completed by BindView, operating systems such as the Linux 2.2 kernel and the most recent version of OpenBSD create strong ISNs, while operating systems such as Windows 95, Windows 98, older versions of Windows NT, AIX and HPUX have relatively weak procedures for generating ISNs.
The latter operating systems could be exploited by an attack using the new vulnerability.