Here at nCircle most of my day has been spent fielding questions about this Internet Connection Sharing vuln. There seems to be a misunderstanding regarding the question: "Is the only way to mitigate this vulnerability by turning off the Windows service 'Windows Firewall/Internet Connection Sharing (ICS)'?"
I wanted to share the below chart that Tyler provided to me. These are the results of his testing this vulnerability in our own lab over the weekend.
* Internet Connection Sharing Disabled/Enabled means the box is checked or not checked
* Windows Firewall Enabled/Disabled means it's set to On or Off
* Service State is the (Windows Firewall/Internet Connection Sharing Service)
* Interface describes which side of the network the attack originated from (LAN being the "inside" and WAN representing the "Internet Connection" side)
| Internet Connection Sharing | Windows Firewall | Service State | Interface | Crash |
|---|---|---|---|---|
| Enabled | Disabled | Enabled | LAN | Yes |
| Enabled | Enabled | Enabled | LAN | Yes |
| Disabled | Disabled | Enabled | LAN | No |
| Enabled | Disabled | Enabled | WAN | No |
| Enabled | Enabled | Enabled | WAN | No |
| Disabled | Disabled | Enabled | WAN | No |