Critical Vulnerability in IE, ISA and Proxy Server
- By Scott Bekker
- June 12, 2002
Microsoft hastily issued a pre-patch workaround for a critical vulnerability involving the handling of the Gopher protocol in several of its products after parties went public with the information.
"The information required to exploit this vulnerability has been released before the patches have been completed. To allow customers to take action to protect themselves while the patches are built, Microsoft is releasing work-around information. Microsoft will update this bulletin to announce the availability of patches as soon as they are available," Microsoft wrote in a bulletin about the vulnerability and workaround, which can be found at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-027.asp.
Microsoft has been embroiled in a long-running dispute with a faction of the information security community about whether vulnerability information should be released before a vendor has a patch available. Microsoft's position is that such information should be withheld until fixes are ready.
The problem affects Internet Explorer, Internet Security & Acceleration Server 2000 and Microsoft Proxy Server 2.0.
An unchecked buffer in code that handles information returned from a server using the Gopher protocol allows for a buffer overrun attack.
On ISA and Proxy Server, the tactic could give an attacker complete control over the server, allowing the attacker to format the hard drive, add administrators to the system or whatever else the attacker wanted to accomplish. The vulnerability on Internet Explorer is more limited, allowing the attacker to run code in the user's context.
Most of the functions and capabilities of Gopher have been superceded by HTTP, Microsoft notes, adding that it might be a good best practice to close access to Port 70 for enterprises without known legitimate uses for the protocol.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.