Skip to main content /TECH with IDG.net
CNN.com /TECH
CNN TV
EDITIONS

Microsoft security flaw can lead to Web attack

image
IDG.net

(IDG) -- Microsoft admitted this week that a flaw in its Internet Security and Acceleration (ISA) Server 1.0 can lead to a denial-of-service attack, taking Web sites and users employing the product offline until the server is restarted.

ISA Server offers firewall, virtual private network services and a Web cache to its users. The bug in ISA Server can be attacked in three ways, according to Richard Reiner, the chief executive officer and head of the e-security practice at SecureXpert Labs in Toronto.

IDG.net INFOCENTER
Related IDG.net Stories
Features
Visit an IDG site


If ISA Server's Web server features -- called Web publishing -- are turned on, a certain string of characters can be sent to the server to shut it down. This is a very simple attack that anyone with a modem could perpetrate in only a minute, Reiner said. This poses two problems to anyone using the Web publishing feature: The attack will take the Web site served by ISA offline and it will also stop any users behind the firewall from accessing the Web until the server is restarted, Reiner said.

ISA Server can also be crashed using the same attack by anyone inside the company using the software, regardless of whether the Web publishing feature is turned on or not, Reiner said. Lastly, if an HTML (Hypertext Markup Language) e-mail containing certain text in an image tag is sent to anyone within the company using the firewall, ISA can be crashed, Reiner said. HTML is frequently included in e-mail sent by modern e-mail programs.

Reiner, who, along with Graham Wiseman, Matthew Siemens and Kent Nicolson discovered the vulnerability, found the flaw in the first 15 minutes of installing ISA in SecureXpert Labs' testing facilities, he said. The vulnerability was "pretty glaring ... not something of great subtlety," he said.

Microsoft touted ISA as the company's first security product when it announced ISA in early February. Though it is just the company's first offering in the security area, Microsoft worked with a number of established partners on the product and should not have let such a bug slip through, Reiner said.

"They don't have any excuses," he said.

The flaw, which was discovered by a four-man team at Toronto's SecureXpert Labs, was reported to Microsoft on April 2, and Microsoft, in turn, reported the bug over the BugTraq security e-mail list on Monday. The company has already released a patch to remedy the problem, available now on its Web site.

The two weeks between SecureXpert's notifying Microsoft of the bug and the company's response is "not an excessive period of time," Reiner said. Some companies move faster, but some much slower, sometimes taking as much as a month or more to fix their bugs, he said. As such, "two weeks is not bad performance."

Microsoft was not immediately available for comment.



RELATED STORIES:
New tools address denial-of-service threat
April 17, 2001
One year after DoS attacks, vulnerabilities remain
February 8, 2001
EU unveils plan to fight cybercrime
January 31, 2001
Center to be established for cyber-security
January 16, 2001
Attacks on IRC network hurt other Web services
January 10, 2001
Feds warn about rise in attacks against e-commerce sites
December 7, 2000
Exchange bug could be exploited for denial-of-service attacks
November 6, 2000

RELATED IDG.net STORIES:
IE, Windows can mask dangerous files
(IDG.net)
MS again goes on the security offensive
(Network World Fusion)
Getting a grip on user access issues
(ITWorld.com)
FTP software flaw could allow remote attacks on servers
(Computerworld)
Are cryptography tools really only for crooks?
(InfoWorld.com)
IBM e-commerce servers vulnerable to hacks
(IDG.net)
The mobile-commerce fallacy
(Network World Fusion)
The joy of encryption
(Darwin)

RELATED SITES:
Microsoft
The patch to fix the ISA bug
SecureXpert Labs
See related sites about Science and Technology

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


 Search   





MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 













Back to the top