News

Critical Vulnerability in IE, ISA and Proxy Server

Microsoft hastily issued a pre-patch workaround for a critical vulnerability involving the handling of the Gopher protocol in several of its products after parties went public with the information.

"The information required to exploit this vulnerability has been released before the patches have been completed. To allow customers to take action to protect themselves while the patches are built, Microsoft is releasing work-around information. Microsoft will update this bulletin to announce the availability of patches as soon as they are available," Microsoft wrote in a bulletin about the vulnerability and workaround, which can be found at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-027.asp.

Microsoft has been embroiled in a long-running dispute with a faction of the information security community about whether vulnerability information should be released before a vendor has a patch available. Microsoft's position is that such information should be withheld until fixes are ready.

The problem affects Internet Explorer, Internet Security & Acceleration Server 2000 and Microsoft Proxy Server 2.0.

An unchecked buffer in code that handles information returned from a server using the Gopher protocol allows for a buffer overrun attack.

On ISA and Proxy Server, the tactic could give an attacker complete control over the server, allowing the attacker to format the hard drive, add administrators to the system or whatever else the attacker wanted to accomplish. The vulnerability on Internet Explorer is more limited, allowing the attacker to run code in the user's context.

Most of the functions and capabilities of Gopher have been superceded by HTTP, Microsoft notes, adding that it might be a good best practice to close access to Port 70 for enterprises without known legitimate uses for the protocol.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.