Microsoft Windows 2000 SP4 and prior, Windows XP SP2 and prior, and Server 2003 SP1 and prior contain a buffer overflow vulnerability that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code.
The vulnerability exists due to a failure to properly parse malformed IP Source Route packets by the TCP/IP stack. An unauthenticated, remote attacker can exploit this vulnerability by submitting a properly malformed packet to a vulnerable system. This action could result in a DoS condition or the execution of arbitrary code with SYSTEM privileges.
Proof-of-concept code is available that demonstrates exploitation to cause a DoS condition.
Microsoft acknowledged the vulnerability in a security bulletin and released software updates.