News

Critical Vulnerability in IE, ISA and Proxy Server

Microsoft hastily issued a pre-patch workaround for a critical vulnerability involving the handling of the Gopher protocol in several of its products after parties went public with the information.

"The information required to exploit this vulnerability has been released before the patches have been completed. To allow customers to take action to protect themselves while the patches are built, Microsoft is releasing work-around information. Microsoft will update this bulletin to announce the availability of patches as soon as they are available," Microsoft wrote in a bulletin about the vulnerability and workaround, which can be found at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-027.asp.

Microsoft has been embroiled in a long-running dispute with a faction of the information security community about whether vulnerability information should be released before a vendor has a patch available. Microsoft's position is that such information should be withheld until fixes are ready.

The problem affects Internet Explorer, Internet Security & Acceleration Server 2000 and Microsoft Proxy Server 2.0.

An unchecked buffer in code that handles information returned from a server using the Gopher protocol allows for a buffer overrun attack.

On ISA and Proxy Server, the tactic could give an attacker complete control over the server, allowing the attacker to format the hard drive, add administrators to the system or whatever else the attacker wanted to accomplish. The vulnerability on Internet Explorer is more limited, allowing the attacker to run code in the user's context.

Most of the functions and capabilities of Gopher have been superceded by HTTP, Microsoft notes, adding that it might be a good best practice to close access to Port 70 for enterprises without known legitimate uses for the protocol.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

  • How To Block Self-Service Purchasing in Microsoft's Power Platform

    Microsoft threw Office 365 admins a bone when it gave them the ability to block users from purchasing Power Platform tools without IT approval. Here's how to prevent total anarchy.

  • Azure DevOps Services Losing Support for Alternate Credentials

    Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

  • Microsoft Endpoint Configuration Manager Update 1910 Released

    Microsoft announced last week that it is starting to deliver Update 1910 for Microsoft Endpoint Configuration Manager users.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.