News

Microsoft: No fix yet for Windows VPN flaw

Cliff Saran
Microsoft has confirmed a security flaw in the virtual private network component of its Windows 2000/XP operating system.

The hole, discovered by security firm Phion on 26 September, could allow a hacker to run a denial of service attack on affected servers.

According to Phion, the flaw exists within the way the point-to-point tunnelling protocol (PPTP) used by the VPN is handled. In a warning on its Web site, Phion said that a specially crafted PPTP packet could allow a hacker to overwrite kernel memory, potentially allowing a would-be intruder to run arbitrary code.

Microsoft confirmed the flaw could be exploited in a denial of service attack, but said it has yet to reproduce the part of the vulnerability that would allow a hacker to run arbitrary code.

A spokeswoman for the company said that Microsoft did not yet have a work-around to protect users. However, she said, Microsoft did not believe the flaw would significantly impact on users' security.

"Because most PPTP clients operate using dynamic rather than fixed IP addresses, we believe this security issue poses less of a threat to users," she said.

Microsoft advised any user concerned about their security to block inbound network traffic on port 1723, which effectively disables access using the PPTP protocol.

While it works to develop a patch for this latest security hole, Microsoft reiterated its position on reporting and publicising security holes in its software. Microsoft chief security officer, Stuart Okin, said: "As much as possible, people who find security holes should come directly to Microsoft or Cert (the independent US IT security organisation). This gives us some time to look at the problem."

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy