Known issues with this security update
Issue with ICMPv6 packets in Windows Server 2003
After you install this security update, Windows Server 2003 may not set the value of the icmp6_cksum field in the icmp6_hdr structure for ICMPv6 packets. To resolve this issue, install hotfix 974927.
For more information about hotfix 974927, click the following article number to view the article in the Microsoft Knowledge Base:
974927 Windows Server 2003 does not set the value of the icmp6_cksum field in the icmp6_hdr structure for ICMPv6 packets after you install security update 953230 (MS08-037)
Resource Consumption Issues
Windows DNS server systems may see an increase in memory and file handles resource consumption for systems on which the security update that is described in MS08-037 is installed. This is expected behavior because of the SocketPool randomization feature that was implemented to address this security vulnerability on Windows-based servers. The implementation of the DNS server security update reserves a set of ports. One of the ports is selected randomly for each outgoing DNS query. This design decision was made to address performance concerns for DNS servers that handle and originate a significantly larger number of queries than Windows-based clients. The set of reserved ports that the DNS server reserves is known as a "socket pool."
By default, the size of the socket pool on Windows-based servers is 2,500 sockets. To configure this size, change the SocketPoolSize registry entry in the following subkey in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize
For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
956188 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
For more information, visit the following Microsoft Web page:
Port conflict and connection issues
After you install this security update, and then you restart the computer, you may experience issues with User Datagram Protocol (UDP) dependent network services. After you install this security update, a service that depends on a UDP port may not start on a computer that is running Windows 2000, Windows Server 2003, or Windows Server 2008. This issue occurs if the service is allocated to the DNS service after security update 953230 is installed.
For more information about this issue, click the following article numbers to view the articles in the Microsoft Knowledge Base:
956188 You experience issues with UDP-dependent network services after you install DNS Server service security update 953230 (MS08-037)
977512 The DNS Server service binds to all ports in the Windows Deployment Services port range on a server that is running Windows Server 2008 R2 or Windows Server 2008
Service issues on SBS-based systems
After you install this security update, and then you restart a computer that is running Microsoft Windows Small Business Server 2003 (Windows SBS), you may experience many network-related problems.
For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
956189 Some services may not start or may not work correctly on a computer that is running Windows SBS after you install the DNS Server security update 953230 (MS08-037)
Perimeter firewall devices and NAT issues
After you install this security update on a Microsoft Windows-based computer, you may find that the DNS queries that are sent across a firewall from the computer do not use random source ports.
For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)
Issue with ZoneAlarm
After you install this security update on a Windows XP-based computer, on a Windows 2000-based computer, or on a Windows Server 2003-based computer that is running ZoneAlarm, you may be unable to connect to the Internet.
Note This issue does not affect Windows Vista-based computers.
This issue may occur when you run the ZoneAlarm versions that are listed in the following table.
| Application | Version number range |
|---|
| Zone Alarm Internet Security Suite | 6.5.645.000–7.0.482.000 |
| Zone Alarm Pro | 6.5.645.000–7.0.482.000 |
| Zone Alarm Anti Virus | 6.5.645.000–7.0.482.000 |
| Zone Alarm Anti-Spyware | 6.5.645.000–7.0.482.000 |
| Zone Alarm Basic Firewall | 6.5.645.000–7.0.482.000 |
| EndPoint Security | 6.5.645.000–7.0.865.000 (excluding 7.0.843.0007 and 7.0.866.000) |
To resolve this issue, install update 958752.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
958752 The version of AFD.SYS that is released together with security update 953230 (MS08-037) and security update 956803 (MS08-066) has an application compatibility issue
For more information about how to resolve this issue, visit the following ZoneAlarm Web site:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Uninstall issues
Systems that are running supported editions of Windows 2000 Server and Windows Server 2003 will receive the DNS server updates in addition to the DNS client updates. The DNS server updates and the DNS client updates share binaries. Therefore, they must be uninstalled in the reverse order that they were installed to avoid regressing the shared binaries to earlier versions.
Consider the following scenario:
- You install the DNS client security update (951748) that is described in security bulletin MS08-037.
- You install the DNS server security update (951746) that is described in security bulletin MS08-037.
- You uninstall the DNS client security update (951748) that is described in security bulletin MS08-037.
In this scenario, the DNS server security update (951746) that is described in security bulletin MS08-037 may revert to the vulnerable version. This behavior causes the DNS server security update (951746) that is described in security bulletin MS08-037 to be reoffered to the vulnerable system. Therefore, you must reinstall the DNS server security update (951746) that is described in security bulletin MS08-037.
For more information about this security update and for information about any known issues with specific releases of this software, click the following article number to view the article in the Microsoft Knowledge Base: 823836 Removing Windows software updates in the wrong order may cause the operating system to stop functioning
Socket connection issues
The updates that are offered in bulletin MS08-037 prevent the DNS service from conflicting with the reserved ports that other services may be listening on.
DNS Source Port randomization
As a part of DNS Source Port randomization, Microsoft has reserved ports to reduce the source port randomization risk. The default size of the Socket Pool on Windows Server 2003 and down-level platforms is 2500. This size is configurable by modifying the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\SocketPoolSize registry subkey.
When the value of the SocketPoolSize registry entry is changed, the DNS service must restart for the changes go into effect. On DNS servers that have other services listening on UDP ports, it is helpful to prevent the DNS service from conflicting with the reserved ports of other services.
For more information about ReservedPorts keys, click the following article number to view the article in the Microsoft Knowledge Base: 812873 How to reserve a range of ephemeral ports on a computer that is running Windows Server 2003 or Windows 2000 Server
MaxUserPort
On Windows Server 2003 and Windows 2000 Server, the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort registry subkey is defined as the maximum port up to which ports may be allocated for wildcard binds. The value of the MaxUserPort registry entry defines the dynamic port range.
For more information about the MaxUserPort registry entry, visit the following Microsoft Web site:
What is the effective port range when the value of the MaxUserPort registry entry is set explicitly?In Windows Server 2003 or Windows 2000 Server, the value of the MaxUserPort registry entry defines the dynamic port range. The range starts from 1024 to MaxUserPort.
Modifying the ephemeral port in Windows Server 2008 or later
To adjust the ephemeral port in Windows Server 2008 or later, run the following command:
netsh int <ipv4|ipv6> set dynamic <tcp|udp> start=number num=range
To view the current ephemeral port range, run the following command:
netsh int <ipv4|ipv6> show dynamicport <tcp|udp>
For more information, click the following article number to view the article in the Microsoft Knowledge Base: 929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
The following is the fix behavior on Windows Server 2003 and down-level platforms after you install the MS08-037 DNS update:
- If the value of the MaxUserPort registry entry is set, allocate ports randomly from the [1024, MaxUserPort] range.
- If the value of the MaxUserPort registry entry is not set, allocate ports randomly from the [49152, 65535] range.
More information about this security update
For more information about this security update and for information about any known issues with specific releases of this software, click the following article numbers to view the articles in the Microsoft Knowledge Base:
951748 MS08-037: Description of the security update for DNS in Windows Server 2003, in Windows XP, and in Windows 2000 Server (client side): July 8, 2008
951746 MS08-037: Description of the security update for DNS in Windows Server 2008, in Windows Server 2003, and in Windows 2000 Server (server-side): July 8, 2008