News

Critical Vulnerability in IE, ISA and Proxy Server

Microsoft hastily issued a pre-patch workaround for a critical vulnerability involving the handling of the Gopher protocol in several of its products after parties went public with the information.

"The information required to exploit this vulnerability has been released before the patches have been completed. To allow customers to take action to protect themselves while the patches are built, Microsoft is releasing work-around information. Microsoft will update this bulletin to announce the availability of patches as soon as they are available," Microsoft wrote in a bulletin about the vulnerability and workaround, which can be found at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-027.asp.

Microsoft has been embroiled in a long-running dispute with a faction of the information security community about whether vulnerability information should be released before a vendor has a patch available. Microsoft's position is that such information should be withheld until fixes are ready.

The problem affects Internet Explorer, Internet Security & Acceleration Server 2000 and Microsoft Proxy Server 2.0.

An unchecked buffer in code that handles information returned from a server using the Gopher protocol allows for a buffer overrun attack.

On ISA and Proxy Server, the tactic could give an attacker complete control over the server, allowing the attacker to format the hard drive, add administrators to the system or whatever else the attacker wanted to accomplish. The vulnerability on Internet Explorer is more limited, allowing the attacker to run code in the user's context.

Most of the functions and capabilities of Gopher have been superceded by HTTP, Microsoft notes, adding that it might be a good best practice to close access to Port 70 for enterprises without known legitimate uses for the protocol.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

  • System Center 2019 Reaches General Availability

    System Center 2019 has now reached the "general availability" product stage, Microsoft indicated in a Thursday update.

  • SharePoint Online Users Getting News Improvements This Month

    Microsoft plans to roll out new capabilities for SharePoint Online users this month that will add greater control over how News articles appear in SharePoint sites, according to a Wednesday announcement.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.