Piggybacked data on a TCP Acknowledgement (ACK) package may bypass the WFP inspection process in Windows Vista
The TCP protocol uses a three-way handshake to establish a TCP connection. The last interaction in the three-way handshake is a TCP Acknowledgement (ACK) package. However, in Windows Vista, the Windows Filtering Platform (WFP) inspection occurs only after the three-way handshake is completed. Therefore, any data that is piggybacked on the ACK package may bypass the WFP inspection process.
Note: A payload can legitimately piggyback on the ACK package.
This issue affects socket applications that use NetBIOS communication on a Windows Vista-based computer.
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB952131.