Microsoft patches glitch in security tool
Microsoft Corp. last week warned users that a flaw in its new firewall and Web caching software -- billed as the company's first product aimed purely at IT security -- could lead to denial-of-service attacks blocking all Web traffic from passing through corporate firewalls.
Microsoft said in an advisory that a malicious attacker could use the flaw in the company's Internet Security and Acceleration (ISA) Server to disrupt all incoming and outgoing Web proxy requests being funneled through the software. The server running the software would have to be restarted to restore normal operations, the advisory said.
The vulnerability doesn't affect the security of firewalls and could be exploited by external attackers only if companies have turned on a Web publishing feature that's disabled by default, according to Microsoft. The company said systems administrators who have enabled that feature should install a patch that can be downloaded from its Web site.
Even companies that haven't turned on the software's Web publishing capabilities may not be safe yet. A disgruntled employee could use the flaw to launch a denial-of-service attack even if the publishing feature remains disabled. For that reason, Microsoft said all ISA Server users "should consider applying the patch."
ISA Server offers an enterprise firewall, virtual private network services and Web caching technology that's supposed to help users boost the performance of Internet-based applications. Microsoft touted the package as its first security product when ISA Server was announced two months ago.
The vulnerability in ISA Server can be attacked in three ways, according to Richard Reiner, CEO and head of the e-security practice at FSC Internet Corp.'s SecureXpert Labs division in Toronto. Reiner said he and three co-workers found the flaw in the first 15 minutes of installing ISA Server in SecureXpert Labs' testing facilities early this month.
The vulnerability was "pretty glaring, not something of great subtlety," Reiner said. If the Web server features built into ISA Server are turned on, he added, a certain string of characters can be sent that causes the software to shut down. Exploiting the flaw would be a simple task for an attacker, Reiner said.
Although ISA Server is Microsoft's first offering in the security market, Reiner said the company shouldn't have let such a bug slip through its testing process. The flaw was reported to Microsoft on April 2, and Reiner said the two weeks it took the company to respond with a patch is "not an excessive period of time."
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
