Microsoft security flaw can lead to DoS

ISA Server offers firewall, virtual private network services and a Web cache to its users. The bug in ISA Server can be attacked in three ways, according to Richard Reiner, the chief executive officer and head of the e-security practice at SecureXpert Labs in Toronto.

If ISA Server's Web server features -- called Web publishing -- are turned on, a certain string of characters can be sent to the server to shut it down. This is a very simple attack that anyone with a modem could perpetrate in only a minute, Reiner said. This poses two problems to anyone using the Web publishing feature: The attack will take the Web site served by ISA offline and it will also stop any users behind the firewall from accessing the Web until the server is restarted, Reiner said.

ISA Server can also be crashed using the same attack by anyone inside the company using the software, regardless of whether the Web publishing feature is turned on or not, Reiner said. Lastly, if an HTML (Hypertext Markup Language) e-mail containing certain text in an image tag is sent to anyone within the company using the firewall, ISA can be crashed, Reiner said. HTML is frequently included in e-mail sent by modern e-mail programs.

Reiner, who, along with Graham Wiseman, Matthew Siemens and Kent Nicolson discovered the vulnerability, found the flaw in the first 15 minutes of installing ISA in SecureXpert Labs' testing facilities, he said. The vulnerability was "pretty glaring ... not something of great subtlety," he said.

Microsoft touted ISA as the company's first security product when it announced ISA in early February. Though it is just the company's first offering in the security area, Microsoft worked with a number of established partners on the product and should not have let such a bug slip through, Reiner said.

"They don't have any excuses," he said.

The flaw, which was discovered by a four-man team at Toronto's SecureXpert Labs, was reported to Microsoft on April 2, and Microsoft, in turn, reported the bug over the BugTraq security e-mail list on Monday. The company has already released a patch to remedy the problem, available now on its Web site.

The two weeks between SecureXpert's notifying Microsoft of the bug and the company's response is "not an excessive period of time," Reiner said. Some companies move faster, but some much slower, sometimes taking as much as a month or more to fix their bugs, he said. As such, "two weeks is not bad performance."

Microsoft was not immediately available for comment.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Sam Costello

PC World
Show Comments

Essentials

Mobile

Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Exec

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?