According to Cisco Systems Inc., a newly discovered flaw in the Internet Key Exchange (IKE) version 1 protocol could expose certain Cisco products to attack.
The San Jose, Calif.-based networking giant has confirmed the validity of a post to the Full Disclosure mailing list in which a UK-based researcher said an issue with the protocol could leave Cisco's VPN 3000 Series Concentrators susceptible to a denial of service.
The researcher, Roy Hills of UK-based security analysis firm NTA Monitor Ltd., discovered the IKE flaw while performing a VPN security test for a customer in July 2005.
"The vulnerability allows an attacker to exhaust the IKE resources on a VPN concentrator by sending a high rate of IKE requests, which will prevent valid clients from connected or re-keying," wrote Hills. "The attack does not require a high bandwidth, so one attacker could potentially target many concentrators."
Hills said it is similar to the well-known TCP SYN flood attack, when TCP connection requests are sent faster than the receiving device can process them.
In a follow-up post, Dario Ciccarone of Cisco's Product Security Incident Response Team (PSIRT) confirmed the problem, noting that it not only affects the 3000 Series Concentrators, but also its PIX firewall and its IOS software.
"This vulnerability is not related to a specific vendor implementation, but to underlying issues in the IKE protocol, and may affect any device which implements IKE version 1," Ciccarone said.
Ciccarone said those using IOS can mitigate the problem by implementing the Call Admission Control for IKE feature. However, he added, "There are no workarounds to mitigate this vulnerability for other affected devices."
In a post on its Web site, the SANS Internet Storm Center recommends that organizations check with their vendors for other systems that may use IKE version 1.
Internet Explorer 7 to arrive as 'high priority' update
Due to security concerns in its current browser, Microsoft said Wednesday that it will release its next-generation Internet Explorer 7 browser as an update to Windows XP and Windows 2003 customers.
In a posting on its Web site yesterday, the software giant said customers would receive the final version of the new Web browser, planned for release in the fourth quarter of 2006, as a high-priority update via Microsoft Automatic Updates.
Gary Schare, Microsoft's director of IE product management, told CNET News.com that move, considered bold by some, is justified by the significant security enhancements in IE 7. Many have long considered IE6 unsuitable and in need of replacement because of the countless security flaws to which it has been vulnerable in the past several years.
However, for those organizations that want to block the automatic update of IE7, Microsoft Wednesday issues a non-expiring Blocker Toolkit that will prevent such a download for environments not running Windows Server Update Services or Systems Management Server 2003. Microsoft said the tool will not prevent users from manually installing Internet Explorer 7 as a recommended update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center or from external media.
The tool is only available to enterprises that have had their machines validated via Microsoft's controversial Windows Genuine Advantage program.
MessageLabs sees slight drop in spam, gain in target attacks
In its most recent intelligence report, New York-based messaging security firm MessageLabs Ltd. claims spam declined slightly in recent weeks, targeted attacks are on the rise.
According to the results of its July 2006 research, the global ratio of spam decreased 2.1% to 62.7%. Sorted by nation, Israel's ratio was highest at 77.3% of all messages while India's ratio was lowest at 23.1%.
However, MessageLabs said new scams abusing mobile text messaging and online social networking services have increased, along with social engineering and targeted profiling of networking sites like MySpace.com.
Other highlights include:
Ironically, just hours before the data was released, San Francisco-based messaging analysis firm Ferris Research issued a bulletin asserting that MessageLabs has enlisted investment bank UBS Corp. in an attempt to find another company willing to buy it.
President and Senior Analyst David Ferris wrote that not only is there "plenty of interest" in acquiring malware firms, noting recent purchases of CipherTrust and FrontBridge, but it also could benefit from a merger to better facilitate the generation of wealth."
"All in all," Ferris wrote, "it's probably a good time for MessageLabs stockholders to sell."