A FLAW IN Microsoft's Point-to-Point Tunneling Protocol (PPTP) used to secure VPN (virtual private networks) leaves corporate intranets open to attack from outside, according to German IT security company Phion Information Technologies.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
In a security advisory Thursday, Phion said that the Microsoft PPTP service shipping with Windows 2000 and Windows XP contains a remotely exploitable pre-authentication buffer overflow. This enables a specially crafted PPTP packet to overwrite kernel memory, such that a denial-of-service attack can lock up the server. This has been verified on Windows 2000 SP3 and Windows XP, Phion said in the advisory.

Microsoft has not yet confirmed the flaw.

Phion said that VPN clients are also vulnerable as the PPTP service continually listens on an I/O port, making always-on DSL clients particularly vulnerable, Phion said.

Phion said that Windows XP clients can be temporarily protected by firewalling the PPTP port in the Internet Connection Firewall. The company said it didn't know of any solution for Windows 2000 and Windows XP PPTP servers.