The severity of a vulnerability in a protocol for virtual private network (VPN) technology in Windows 2000 and Windows XP depends on how critical the technology is for companies, a well-known vulnerability expert said this week.
Microsoft warned this week that its implementations of Point-to-Point Tunneling Protocol (PPTP), a virtual private network technology, contain an unchecked buffer than can be used to create a denial-of-service condition. In essence, an attacker may exploit the flaw with "a malformed PPTP control data," according to a Microsoft advisory. This can disrupt kernel memory and cause the system to shut down.
Microsoft called the PPTP vulnerability critical, but David Litchfield said this week that the flaw is probably only a moderate risk to most users. Litchfield is a well-known vulnerability finder and co-founder of Next Generation Security Software Ltd., which is based in Sutton, England.
The flaw would only allow attackers to crash the system, not run arbitrary code on it, Litchfield said. Companies that rely heavily on the utility are the ones that should be the most concerned about the vulnerability.
Windows 2000 and Windows XP natively support PPTP, and it's an optional component in Windows NT 4.0, Windows 98, Windows 98SE and Windows ME.
Microsoft also released a cumulative patch for Internet Information Server (IIS) covering all security patches since Service Pack 6a for IIS 4.0 and all security patches released to date for IIS 5.0 and 5.1. The patch covers the following new vulnerabilities:
- A privilege elevation vulnerability in the way ISAPIs are launched.
- A denial-of-service vulnerability related to how memory for WebDAV requests are allocated in IIS 5.0 and 5.1.
- A vulnerability in the script source access permission in IIS 5.0.
- A pair of cross-site scripting vulnerabilities affecting IIS 4.0, 5.0 and 5.1 and involving administrative Web pages.
Additionally, Microsoft released an advisory about a flaw in Windows 2000 that could allow an attacker to drop a Trojan horse into a system. An attacker can use default root access to drop in a Trojan named after commonly used programs.
The flaw would probably not affect servers if best practices are followed, so only trusted users can log in, Microsoft said. Additionally, Remote Terminal sessions would pose little risk.