http://news.cnet.com/news/0-1003-200-5643775.html?tag=mn_hd
By Stephen Shankland
Staff Writer, CNET News.com
April 17, 2001, 3:30 p.m. PT
A Microsoft Windows 2000 server software package can be crashed by
sending it a comparatively simple request for a Web page, a security
firm has discovered.
SecureXpert Labs reported the vulnerability in Microsoft's Internet
Security and Accelerator (ISA) software, which is used to protect
internal networks from outside attackers and to bridge internal
networks with the public Internet.
Microsoft acknowledged the problem Monday and issued a patch.
An attacker can take advantage of the vulnerability by sending the
server a request to view a Web page with an unusually large
address--for example, one with the letter A repeated 3,000 times,
SecureXpert Labs said. Sending such a request will prevent the ISA
software from letting computers inside its network view outside Web
pages or letting outside computers view inside pages.
While the vulnerability wouldn't permit an attacker to take over a
company's server, it could be used to make a Web page inaccessible to
the public, Microsoft said.
In the array of possible methods to attack a server, this type is very
simple and easily launched.
Though analysts agree the newer Windows 2000 operating system is more
secure than its predecessors, Microsoft still faces a host of security
problems. For example, future versions of its Outlook e-mail software
will ban many file types in an effort to prevent the spread of viruses
that can reproduce quickly because of tight integration between
different Microsoft products.
The ISA software must be restarted to restore the service, but the
server doesn't need to be rebooted, Microsoft said.
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Wed Apr 18 01:11 CDT 2001