Microsoft VPN flaw may leave intranets open to attack
A flaw in Microsoft Corp.'s Point-to-Point Tunneling Protocol (PPTP) used to secure VPN (virtual private networks) leaves corporate intranets open to attack from outside, according to German IT security company Phion Information Technologies GmbH.
In a security advisory Thursday, Phion said that the Microsoft PPTP Service shipping with Windows 2000 and Windows XP contains a remotely exploitable pre-authentication buffer overflow. This enables a specially crafted PPTP packet to overwrite kernel memory, such that a denial of service attack can lock up the server. This has been verified on Windows 2000 SP3 and Windows XP, Phion said in the advisory.
Microsoft has not yet confirmed the flaw.
Phion said that VPN clients are also vulnerable as the PPTP service continually listens on an I/O port, making always-on DSL (Digital Subscriber Line) clients particularly vulnerable, Phion said.
Phion said that Windows XP clients can be temporarily protected by firewalling the PPTP port in the Internet Connection Firewall. The company said it didn't know of any solution for Windows 2000 and Windows XP PPTP servers.
ITworld.com
pasmith
Kindle news: pricing, business models and ... source code?
mulderjoe
Cell phone gaming: In search of good mobile games
jfruh
The guts of the iPhone 3GS
Enter your caption for this week's cartoon! The winner will receive a $25 Amazon gift card. Go now!
Essential JavaFX
Get started building rich Web apps quickly with an introduction to the power of JavaFX key features -- scene node graphs, nodes as components, the coordinate system, layout options, colors and gradients, custom classes with inheritance, animation, binding, and event handlers.Enter now!
The Nomadic Developer
Consulting can be hugely rewarding, but it's easy to fail if you are unprepared. To succeed, you need a mentor who knows the lay of the land. Aaron Erickson is your mentor, and this is your guidebook. Enter now!
