The TCP protocol uses a three-way handshake to establish a TCP connection. The last interaction in the three-way handshake is a TCP Acknowledgement (ACK) package. However, in Windows Vista, the Windows Filtering Platform (WFP) inspection occurs only after the three-way handshake is completed. Therefore, any data that is piggybacked on the ACK package may bypass the WFP inspection process.

Note: A payload can legitimately piggyback on the ACK package.

This issue affects socket applications that use NetBIOS communication on a Windows Vista-based computer.

Leave a Reply