Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Microsoft PPTP Buffer Overflow; VPNs Vulnerable 349

An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
This discussion has been archived. No new comments can be posted.

Microsoft PPTP Buffer Overflow; VPNs Vulnerable

Comments Filter:
  • MS Bugs (Score:4, Funny)

    by Tyler Eaves ( 344284 ) on Friday September 27, 2002 @03:44PM (#4346879)
    Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.
    • Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.

      I would, but I have neither the time, nor the bandwidth :)

    • This actually wouldn't be a bad idea, although it would need to be done in a fairly clear-to-read manner and have severity labeled well.

      I seem to recall that there was a Dilbert strip with Ratbert in Q&A, who had "Lethal", "Boneheaded", and "Vexing" as his bug severities. This would probably be a very good way to categorize them for end users :)
    • What is the average of new MS bugs discovered per week? My guess would be around 3 a week.
    • by Trinition ( 114758 ) on Friday September 27, 2002 @04:48PM (#4347306) Homepage
      I'd be curious to know how many are buffer overflows. Seems like at least 50% are. What would it take for Microsot to incur the overhead of checking array bounds? Java seems to do this implicitly, and it works OK for tons of applications. Ever heard of a buffer overflow EXPLOIT in Java (sure, you could get an ArrayIndexOutOfBoundsException, but it wouldn't let arbitrary code run).
      • If you have a solution that is as fast and low-level as C, yet allows you to do this, please, by all means, speak up!
      • Java-bashing aside, you've missed the point. The point was "why not check all buffer writes/reads in Microsoft code?"

        Microsoft has so many layers of API's and othe rlegacy crap that even their C code is slower (just look at how fast a clean OS written in C is comapred to Windows). Why not at least incur a slowdown for soemthing useful like security. If instead of using unchecked buffers, they used safe buffer code, they wouldn't have this problem.

        One particular Outlooke xploit I recall used an overflow in the timezone field. So, instea dof "GMT+500", someone might but "GMT+505005050505050505...". Because Microsoft made an array of 4 bytes to hold the timezone offset, but didnt' stop reading until teh end of the string... someone could overwrite memory space.

        Now, I'd accept slightly-slower timezone parsing if it meant some thug couldn't take control of my compter by sending me an e-mail!
    • The best part is, we won't see a patch until the EULA that comes with it is written to say "we own your PC" in legal talk, pretty much guaranteeing that the only ones working overtime on this will be Microsoft's lawyers.
  • by mosha ( 217365 ) on Friday September 27, 2002 @03:47PM (#4346896)
    From the advisory:


    A DoS resulting in a lockup of the machine has been verified on
    Windows 2000 SP3 and Windows XP.

    A remote compromise can not be excluded,
    as we were able to fill EDI and EDX with our data.


    It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
    • It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.

      Maybe the short-term fix would be to run in Safe Mode. Then we're ok, right? ;)
  • From what I see in the German brief on the exploit, this can write to the memory of the system. So does this mean the worst that can happen is to crash a Windows box?

    Also, does this apply only to Windows systems using PPTP or to VPN hardware devices as well?
    • by WolfWithoutAClause ( 162946 ) on Friday September 27, 2002 @04:33PM (#4347199) Homepage
      No, they said they can write to the kernel memory; the kernel is the heart of the operating system. If you can make modifications to the kernel, you can usually do anything- in Linux terms: you're 'root'.

      This is an extremely bad bug; VPN software is deployed to protect intranets whilst allowing machines outside to connect- often it is the only thing between an intranet and the outside world.

      This is a really, really worrying thing; if an exploit rather than just a DOS exists, and they indicate that they think it probably is there, it's a huge hole in tens of thousands of firewalls worldwide.

      You've always got a choice; open source, or open wallet; now you've got open firewall too, thrown in at no extra charge. Nice!

  • I didn't see any information in Windows NT 4.0. Does this mean that the vulnerability doesn't exist, or that they haven't tested it? (The site doesn't say.)
    • Re:NT 4? (Score:4, Informative)

      by FreeLinux ( 555387 ) on Friday September 27, 2002 @04:18PM (#4347104)
      IIRC PPTP was not available on NT 4.0 unless you installed the later released RRAS (Routing and Remote Access Server).

      I would expect RRAS to also be vulnerable but, there won't be a patch for it due to discontinued support.

      • Re:NT 4? (Score:2, Informative)

        by og_sh0x ( 520297 )
        That is not correct. You can install PPTP on NT4 without installing RRAS. RRAS just allows you to route through the VPN to create a server-to-server vs. a client-to-server VPN connection.
      • Actually a patch should still be made available if RRAS is vulnerable. According to this page here [microsoft.com], security fixes for NT4 will be made available until January of next year.

        This is good news considering we're only holding on to our NT4 server long enough to find a way to migrate to linux. I'll be moving our pptp server over to linux this weekend now that I've read about this. I actually read it earlier in the day and wasn't sure what to do until I could find out more information.

      • How do you know that they are going to stop releasing patches for NT4? Are you in upper management at Microsoft? Probably not. I did however support NT4 networking, security, and setup for Microsoft for over a year (2000-2001). From experience, I'll assume that if NT4 is vulnerable (RAS and/or RRAS), they'll fix it. There's still a lot of NT4 servers out there because of the cost to upgrade the server OS and CALs. Hell, they supported NT 3.51 up until about a year ago. They drop client side OS support after so many years without thinking twice because they have a stranglehold on the consumer OS market. The server market is a whole different story though. Why would they piss off corporate customers? Corporations realize that end users aren't going to be sitting in front of servers, so it makes little difference how familiar it is to the whole staff. Corporations aren't as afraid to switch server platforms. Microsoft needs to provide a lot of incentive to get people to stick with their server suite and they know it.

        Look at the link that Tweek posted. They are being very careful not to piss off the server market. Windows 95 support started to disappear without warning. Compare that decision to the page Tweek referenced and you'll see the difference in attitude.

  • Details... (Score:2, Redundant)

    by fungus ( 37425 )
    From: sh@phion.com [mailto:sh@phion.com]
    Sent: Thursday, September 26, 2002 5:44 AM
    To: bugtraq@securityfocus.com
    Subject: Microsoft PPTP Server and Client remote vulnerability

    phion Security Advisory 26/09/2002

    Microsoft PPTP Server and Client remote vulnerability

    Summary

    The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
    remotely exploitable pre-authentication bufferoverflow.

    Affected Systems

    Microsoft Windows 2000 and XP running either a PPTP Server or Client.

    Impact

    With a specially crafted PPTP packet it is possible to overwrite kernel
    memory.

    A DoS resulting in a lockup of the machine has been verified on
    Windows 2000 SP3 and Windows XP.

    A remote compromise should be possible deploying proper shellcode,
    as we were able to fill EDI and EDX with our data.

    Clients are vulnerable too, because the Service always listens on port
    1723 on any interface of the machine, this might be of special concern
    to DSL users which use PPTP to connect to their modem.

    Solution

    As a temporary solution for the Client issue, one might firewall the PPTP
    port in the Internet Connection Firewall for Windows XP.

    We dont know of any solution for Windows 2000 and Windows XP PPTP servers.

    The vendor has been informed.

    Acknowledgements

    The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
    on behalf of phion Information Technologies.

    Contact Information

    phion Information Technologies can be reached via:
    office@phion.com / http://www.phion.com

    Stephan Hoffmann can be reached via:
    sh@phion.com

    Thomas Unterleitner can be reached via:
    t.unterleitner@phion.com

    References

    [1] phion Information Technologies
    http://www.phion.com/

    Exploit

    phion Information Technologies will not provide an exploit for this issue.

    Disclaimer

    This advisory does not claim to be complete or to be usable for any
    purpose.

    This advisory is free for open distribution in unmodified form.

    Articles or Publications that are based on information from this advisory
    have to include link [1].
    • phion Information Technologies will not provide an exploit for this issue.

      In reference to remarks about lawsuits. This is a smart move, this would probably help against the getting-our-asses-sued-by-MS possibilities.

      If they poke their own machines I don't think it quite counts the same as hacking somebody else's machine and then telling them they're vulnerable.

      I was just recently looking at the possibilities of setting up a linux VPN, instead of opening up my Windows machines (/. never posted it, boohoo for me). This looks like a good reason to do it that way, anyone have suggestions? I've looked at freeS/WAN [freeswan.org], but the online documentation is dead

      I'm downloading the freeSwan files before their server gets slashdotted now too - phorm
      • FreeS/WAN works, kinda, if you don't mind it taking over routing and a couple of other things with it. pipsecd [debian.org] is a lot simpler (just tunnels, and not even dynamic) to set up, for fixed point-to-point links.

        If you don't have to interoperate with win32 peers (other than merely routing for them), I'd suggest tinc [linux.org]. A lot easier to deploy than IPSec variants (in my experience), it's quite good security, and the most easily manageable solution I've come across yet, especially for meshes of more than two machines.

        Freshmeat has lots of other possibilities, I haven't even tried the majority, let alone all of them. I'm sure you'll find something that suits you're needs, though. =)

  • by capt.Hij ( 318203 ) on Friday September 27, 2002 @03:53PM (#4346948) Homepage Journal
    The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate.

    Thank goodness they will be keeping this information from the people who will do bad things with it. I'm sure that the script kiddies would never share this information with each other! Besides the nice people who are installing these systems really should be on a "need to know" basis anyways....

    Screw the end user.

  • by boinx ( 53670 ) on Friday September 27, 2002 @03:54PM (#4346951)
    isnt great that the community debugs microsoft's security software for free? they probably dont event try to test it anymore since they can rely on everyone finding the holes and reporting it immediately on slashdot.
  • by raehl ( 609729 ) <raehl311@@@yahoo...com> on Friday September 27, 2002 @03:55PM (#4346964) Homepage
    In a stunning revalation, a string of recent articles indexed by Slashdot.org, an internet news resource for the technically inclined, declares that software is not perfect.

    "For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."

    Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.

    "If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"

    One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."
    • by Ralph Wiggam ( 22354 ) on Friday September 27, 2002 @05:02PM (#4347379) Homepage
      Your sarcasm is noted.

      I write code and I've let more bugs out than I could possibly remember. They happen, it's part of the game. But two things make this type of thing mock-worthy. 1) MS has more net worth than most countries. They need to be held to a standard that their size and resources dictates. 2) Bill has quite publicly stated that security is now their number one priority. I for one have not seen any improvement in that department.

      -B
      • I don't think that is true, clearly Microsoft has improved enormously in the last year or so as there are far more bug fixes. It's not as if Microsoft, now concerned with security started producing software that was more defective then before.

        I think there are two variables at play; one being that security is a larger field and more people are looking for defects in Microsoft's code, and not just Microsoft, you'll notice that there are not more exploits in other operating systems, such as Linux and even OpenBSD. Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).

        It seems clear that Microsoft is more focused on security now then ever before, this doesn't mean we'll be hearing more about bugs, it means will be hearing about them more!

        -Jon
        • Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).

          This is simply a method of sending out updates. It may or may not have anything to do with fixing bugs. Indeed it could just as easily ensure that buggy code gets distributed quickly.
      • I for one have not seen any improvement in that department
        The test of this will be how well the products released now perform under scrutiny. How many exploits will we see from Windows XP? Windows .NET Server? How many exploits in various newer forms of old packages (SQL Server, Exchange, etc).

        The next two-three years will tell us what if anything MS has done to address these concerns. Press releases be damned. The proof will be in the pudding.
    • There is only one response to these growing doubts about the quality of proprietary software. We must put a stopper in this aiding and abetting of vandalware.

      It's okay if users whisper stories around the campfire about software bugs and hacking exploits, but we must make sure that they don't begin to peel back the layers of proprietary software and peer inside. After all, it is not the user's responsibility to worry about their welfare, they need to let the properly respected authorities handle things.

      The best course of action is to deny all vulnerabilities reported on this slashdot. Next, we should use these open forums to ferret out and prosecute anyone caught trafficing in vandalware or any information that could be used to create such an atrocity. Developers and users alike must be taught that they have no business worrying about what goes on inside their computer, that is the job of Proprietary Makers of Software.


    • These are not bugs, just extended features that have not been documented. In this case a remote administration tool. :) Hell technically speaking viagra was a bug initially it was designed as a medicine for hypertension which failed. But it's bug was well you know.
    • This just in: People kill each other. I guess its just a fact of life, eh? ;)

      Seriously tho, if you want to be the biggest player on the block, you'd better be prepared for more scrutiny. If you wanna be #1 in a market, you'll be the one wearing the biggest bullseye.

      Just like bugs are a consequence of life, so are bullseyes. They have 40 billion in the bank to fight bugs with; most other companies do not. Where as other companies deserve some slack because they dont have these resources, MS does not.
  • I may as well be the first to post some semi-literate self-contradicting piece of Microsoft defense. I'll try to hit all the cliches so you won't feel you're on the wrong 'blog.

    The Slashdot editors posted a link to a Microsoft-backed security organisation that is devoted to making the world a better place. Just because Microsoft, which has perpetrated just about every evil on the software industry imaginable, is the company backing this other company, doesn't mean it won't be completely impartial and cause security-related bugs to become freedom-loving United States citizens!

    Slashdot is just full of trolls who can't understand that this is an ad hominem attack which means an argument that says whenever someone acts evil 100% of the time for 20 years you can't discount the possibility that this time they're acting to promote the greater good of mankind.

    Just read the article, people! And I quote:

    The organisation expects to release drafts of its guidelines in early 2003.

    See? They're going to release drafts of the guidelines in early 2003. Nothing to worry about here, folks. Move along. DRM is good. Linux is bad. Stop worrying, buy your DVDs and CDs, and consume like you've never consumed before. If you don't like it, don't buy it. Microsoft is obligated to screw the consumer. There is no monopoly. The Justice Department meted out the justice already.
    • The organisation expects to release drafts of its guidelines in early 2003.

      So how come I already know that it's going to say:
      "Partial disclosure should only be made after donating copious hours of free consultation to the vendor, full disclosure should never happen, even after the fixes are out..."
  • by snoochyboochy ( 593098 ) on Friday September 27, 2002 @03:57PM (#4346970)
    From the vnunet article... "The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate."

    This kind of information is only going to be considered "handed on a plate" to the inexperienced/newbie script kiddie who poses a minor threat. The kind of person who is going to do real damage, who has the skills and experience to aggressively hack a system is not going to gain anything from public disclosure, they will already know about the exploit. Limiting release only protects the vendor from the incessant cry for a fix..

  • Hmmm... (Score:2, Funny)

    by mstyne ( 133363 )
    What's an MSCE?
    • It's what people call themselves after they've just taken their two-week crash course on how to take the tests and pass the examinations. Apparently this is a good way of earning the degree if you don't plan on remembering any of it afterward.

      I remember fondly an individual who'd said he was an "MSCE," who knew less about how his Windows-equipped PC worked than I did--and I'd only been fixing computers professionally for about a year.

    • Re:Hmmm... (Score:4, Funny)

      by dzym ( 544085 ) on Friday September 27, 2002 @04:20PM (#4347121) Homepage Journal
      Minesweeper Certified Solitaire Expert.

      Disclaimer: There are various (unofficial) levels of MCSE-- Some may not know how to play Minesweeper or Solitaire.

      Disclaimer #2: I'm studying for a MCSE.

    • What's an MSCE?

      What CmdrTaco's spell-checker suggests for "MCSE".
  • by Anonymous Coward on Friday September 27, 2002 @04:00PM (#4347001)
    WTF, I just patched that box 3 minutes ago!!

    Yea, so what? They won't have a patch ready for weeks. I'm going to play golf.

    It is acting kinda strange. You better reboot, just to be sure.

    The server's down? Again??

    It can't be down. I rebooted it 5 minutes ago.

    Naw, they won't bother us. It's not like we're the DOD or something.

    Don't bug me now. I've almost got high score on Pinball.

    Sure, I've heard of Linux. It sucks!
  • by codwar ( 310539 ) on Friday September 27, 2002 @04:01PM (#4347004)
    CNET has more details on this problem:

    cnet technews [com.com]

    From the article:

    "This is top priority","We are proceeding with all due speed." - Christopher Budd, Microsoft security response center

  • Its called Blue Screen of Death.. We're currently on tour with Buffer Overflow and Malicious Code.

    Coming to a VPN near you...



  • I spent months trying to get my IPTabled firewall to allow PPTP connections to my NT server. I doubt microsoft will address this since they have all but abandoned this type of VPN. Thats settles it IPSEC in tunneling mode here I come.
  • PPTP? (Score:5, Informative)

    by NetJunkie ( 56134 ) <jason.nash@AAAgm ... inus threevowels> on Friday September 27, 2002 @04:10PM (#4347062)
    Who still runs PPTP? It was found to be under-secured a while back. Everyone should have moved on to a more standard and secure technology by now. PPTP was good back when VPNs were new and hard to set up, but that time is long gone.

    One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.
    • by swb ( 14022 )
      What about client VPN is easy with IPSec? The extra client software? The simple OS configuration?

      I can walk a remote user through a VPN setup with the 2K PPTP setup in under 5 minutes with my eyes closed. I'm not sure I can walk myself through the 2K ipsec setup without some external docs to setup.

      I'll grant you its simple with tunneled mode between two router-like devices, but client end nodes?

      Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server. I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.
      • I can walk a remote user through a VPN setup with the 2K PPTP setup in under 5 minutes with my eyes closed. I'm not sure I can walk myself through the 2K ipsec setup without some external docs to setup.

        Setting up L2TP/IPSEC is basically the same routine. Only you have to install a certificate as well, using MMC (XP/2000) or IE (95/98/ME/NT4).

        Also, I think most of the security vulnerabilities of PPTP were specific to an older, unpatched MS client or server.

        Yes, most of them [counterpane.com]. But how good are your users' PPTP passwords? [uni-freiburg.de]

        I don't think a modern (2k/XP) PPTP stream is particularly vulnerable.

        What does the Windows version have to do with this? Is the implementation in, say, Win95 flawed, compared to Win2000/XP? What do you know that we don't know? :-)

    • A lot of people still run it. I may not like them using it at all, but they still use it. The problem with ipsec is that it not a vpn protocol. Sure, I can link my networks up with so much encryption it is not even funny, but that damn road warriro with the win2k laptop is shit out of luck. IPSec is more a peer to peer protocol. Give it a little time, and some more work on it with the IETF, and we may have something more suitable for VPNs. Until then, companies like microsoft, ssh, and other security vendors will make their little odd authenticating clients.

      Up until I lost my job today, I used PPTP to gain access to any part of a fairly large IPSec based wan that did private network routing on top of the internet. Pritty sweet eh? It was fairly useful when I was at the lan party gaming away and needed my q3 key or something off one of my workstations.
  • So, what's new? (Score:2, Informative)

    PPTP's encryption algorithm was cracked years ago (in fact, about a month after it was introduced) by Bruce Schneier (sp?) et. al. and hasn't been considered safe ever since.

    So now we have a buffer overflow exploit in a "VPN" product which was already known to be insecure. Another nail in PopTop's coffin, but little else.

    At the time, Schneier referred to Micro$oft's clumsy attempts at do-it-yourself encryption as "Kindergarten Cryptography."

    Nothing has changed much since then, except that maybe they've graduated to somewhere around Third Grade by now....

  • PPTP & ADSL (Score:3, Informative)

    by samfreed ( 572658 ) on Friday September 27, 2002 @04:16PM (#4347093) Homepage
    My (and many other) ISPs use PPTP as the protocol from the customer's machine to the ADSL modem or whatever "black magic", and we run PPP on top of that.

    This means that gazillions of machines using a "secure" ADSL channel are now vulnerable.

    Ho Hum. Am I glad not to be using LoseDows.

  • by Geeyzus ( 99967 ) <mark_madej@yahRA ... minus herbivore> on Friday September 27, 2002 @04:19PM (#4347110)
    Only on Slashdot would people complain about this. Didn't your mom ever complain about leaving the iron or stove on, and she had to drive all the way home to turn it off? This is obviously a remote shutdown mechanism put in place to allow sysadmins to turn their machines off if necessary, from home. No more late night runs to your cube! It's kind of like an "Easter Egg", if you will.

    Man, we praise Tivo for allowing a certain series of keystrokes to allow 30-second fast-forwarding (or is that ReplayTV, I don't remember). But when MICROSOFT has secret, useful features in place.... we rip them apart! Come on people!

    (yes, it's humor, calm down)
  • by Anonymous Coward on Friday September 27, 2002 @04:20PM (#4347118)
    The initials are the same! It's not a bug - it's an example of embrace and extend!
  • Currently, we don't know if the PPTP bug is real or a fake. Anyone can write an advisory like this, and there is no way you can tell if they tell the truth or not, unless you look carefully at the source code.

    Okay, maybe you can confirm that their claim is true using some black box testing. Unfortunately, the guys with the unlimited time budget aren't the good ones, usually.

    I don't understand the purpose of this advisory, really (at least not from a technical perspective). I don't think anyone has got a policy to disable any services based on such information. Microsoft won't admit that there is a problem until they have got a some fix. The bad guys will work overtime to discover the exact nature of this security defect, and the good guys will work overtime as usual, but are busy with other issues.
  • Doomsday? (Score:5, Insightful)

    by __aadhrk6380 ( 585073 ) on Friday September 27, 2002 @04:45PM (#4347289) Journal
    Sure, sloppy code and security holes are as bad as watered down drinks at a topless bar, but don't we get paid to stop crap like that from being perpetrated on our networks? Microsoft makes me look like a hero as far as security goes.

    Yes, Mr. Customer, I did charge you quite a bit, but I have enclosed a listing of the bugs and security flaws that I patched while I was here. These are things you usually never know about until you get burned by them, but I feel I owe it to you to stay on top of them and help you stay current...

    Microsoft+Bugs+Patches=Value added for me

    Keep up the good work, Bill!
    • I was expecting to see one of those profit lists. You know...

      1) Patch Microsoft bugs

      2) ???

      3) Profit!!!

  • IPSec VPN is used nowadays. I doubt a lot of servers are harmed (NT4 uses PPTP VPN if you haven't installed a 3rd party product. Win2k server uses IPSec).

    MS also said that they can't find a way to make this vulnerability to execute code on the target, vulnerable machine (CNet.com's article on this). An advisory from an unknown group which hasn't informed the vendor first but finds it necessary to cry out loud from the top of their lungs that they found a possible flaw in an old protocol and everyone should know about it, isn't very trustworthy IMHO. I think the german security group was running low on attention. Well, they got their attention now.

    I hope next time they are not this stupid and think about the people who run vulnerable systems and first discuss the flaw with the vendor and after a period (say 3 weeks) publish the flaw.
  • Most script kiddies would find exploits to use anyway as the spread like lightning around irc and peers. I aint that worried about those script kiddies anyway. What im more worried about is corporate spyes that is out after information about my current accounting or my clients and secrets.

    Why does microsoft believe that just because nobudy tells them about an exploit nobody uses it? One would imagine that if i was a hacker that works as a freelance that i wouldnt reveal my hacks to bugtraq. If i did my tools to do the work (steal information) would be gone.

    When bugtraq gets information about an exploit it could have been known to foreign governments and real hackers for years. To wait before we realese exploits will only give a false sence of security but i can imagine thats right up Microsofts alley.
  • Jackasses... (Score:5, Insightful)

    by schlach ( 228441 ) on Friday September 27, 2002 @05:30PM (#4347552) Journal
    Sorry, but what is the bug? I read the bugtraq "advisory", no one's replied to it yet with a "me too" or a "could not duplicate", because there's no repro information in the damn thing!

    So, in other words, let's say you run a company with a PPTP VPN. Some "security research group" sends a press release to CNET, and then eventually gets around to posting about it to bugtraq. No more information is available. You don't know whether it's a valid issue, whether it's a DoS or a remote compromise, or whether or not you're even vulnerable. Do you pull the plug on your VPN? How much money would you stand to lose by disconnecting your corp net vs. standing by and waiting for more info? Meanwhile, thousands of kids and unsavory professionals are sitting at home working on finding the PPTP bug for themselves. Pity you don't have the same amount of time to do that yourself.

    At that point, your only hope is that someone else found the bug independently, and releases a real advisory to the standard lists, so you can become aware of the scope of the problem. Someone who wasn't as concerned with media exposure as with accurate reporting and security in general.

    Incidentally, a search on securityfocus.com for Phion generates no hits for any other issues or advisories, just the "end of the world" VPN flaw [silicon.com]... we'll see.
  • Microsoft, of course, wants restricted disclosure so that its patches (binary only) are an advantage over open-source (which has patches in source code, and is in effect a full disclosure). If that becomes the way of things, you can be sure they will abuse the system and be lax about it. That's why full disclosure is essential.

    However, even with full disclosure after a fixed period of time, Microsoft will still have an advantage because the bug won't be revealed readily by the binary patch, whereas an open-source patch will pre-maturely reveal it. So Microsoft will have an advantage over open source either way. That means only one reason remains for them to want to suppress full disclosure; they want to be able to avoid having to develop and deliver patches in a timely manner (possibly to hold off for months so they can package it up with more and more control-ware that gives them more control over your PC).

  • if the vendor knows of a vulnerability and DOES NOT disclose it to US, YOU can expect to see us in court very soon, M$ or not. As far as making the whole exploit and gruesome details known to the public I can agree that it might be overkill and help the script kiddies, but letting your customers fly blind is criminal when you know better. We've already dropped IIS because of M$'s inability to keep it secure in the face of poor design, if they keep it up we'll begin dropping other components.
  • ..that another dis-service pack won't be far behind?
  • Why doesn't Microsoft set up software to run in the appropriate security context? When I log on as me, I might have lots of privileges on my computer and network. This does not mean that every application I run should have those privileges. By default applications like Internet Explorer run in the security context of the current user. That means that code in IE can do anything I can do. That does not make much sense most of the time. Ideally all applications (like those in these bug reports) should run with the absolute minimum of security rights. It should then be possible for me to grant applications more security rights as they need it. The problem here is not the technology - that is all there and working - it is the way defaults are set up and the UI for all of this stuff.
  • The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate.

    Skript kiddies are not the problem. Let this message be shouted from the hills. A sckript kiddie scrawls his name on your corporate web page and leave a little egg on your face. They are harmless. The person you need to worry about a LOT is the hacker who knows what he is doing, who already knows your flaws, and is looking for your company secrets, your pre-patent diagrams, your strategy memos and he wants to sell to the highest bidder.
  • "Microsoft treats security vulnerabilities as public relations problems" Bruce Schneier.
  • by Rogerborg ( 306625 ) on Saturday September 28, 2002 @04:42AM (#4349386) Homepage
    IT guy: Since you keep pestering us about network issues, we've decided to let you trial our new teleworker VPN.
    Me: 'kay, what are we using?
    IT guy: eSmith VPN
    Me: Which is? PPTP VPN? IpSec?
    IT guy: What? Use Windows 2K VPN to connect.
    Me: Uh, right. I'll be using PPTP on my linux box, is that all right?
    IT guy: No way!
    Me: Why not?
    IT guy: It's not on the approved software list, therefore it's a potential security risk.
    Me: Uhhh... all right. Then I'll use Win2K VPN.
    IT guy: Really?
    Me: Sure, as far as you know.

    Which pretty much sums up commercial IT. Better the devil you know than the devil you don't.

"I've finally learned what `upward compatible' means. It means we get to keep all our old mistakes." -- Dennie van Tassel

Working...