While the bug allows remote code execution several versions of Windows, including Vista and Server 2008, its impact on Windows 2000 is limited to causing a denial of service.
Let's hope it's not one of those Denial of Service bugs that turns out to be quite serious later.
The bug appears to be some sort of TCP/IP stack problem -- discovered by the late Jack C. Louis -- which allows attackers with the ability to connect to any port to run code or DoS the target, depending on the version of Windows.
It's a bad one.
It's especially bad if you're running legacy applications on Windows 2000. The only mitigation for this thing is a properly configured firewall that cleans TCP window sizes (cleans Windows' windows, hur hur) in front of the Windows 2000 host.
Here's the relevant bit of the advisory:
"The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system."
Windows 2000 support was to continue until July next year.
