Administrators waiting for Microsoft to respond to a vulnerability in its Point-to-Point Tunneling Protocol (PPTP) are forced to make a decision from two bad options, said a security expert.
Sept. 26 BugTraq, an online news group, issued a report informing IT pros that hackers are able to penetrate Microsoft's PPTP technology and wrest control of PPTP servers and clients and assume administrative privileges.
Microsoft hasn't yet issued a patch for the security hole, so IT pros have two choices, said Scott Blake, vice president of Information Security at BindView, a Houston-based firm that develops security management and vulnerability assessment software.
Either shut off the PPTP server or leave it on and hope for the best. Both decisions are bad news for companies and IT pros. Turn PPTP off, and remote workers can't log on to the network, halting a company's productivity. Leave it on, and the network is playground for hackers.
Microsoft officials dispute the claim that the vulnerability allows hackers to control PPTP servers and clients, Blake said. The officials told him they believe the security hole only allows hackers to crash the servers, said Blake, who spoke with Microsoft last week. The source of the PPTP security bulletin is reliable, Blake said.
Said a Microsoft spokesman Friday: "Based on our preliminary investigation, we've not yet been able to demonstrate that this vulnerability can be used to execute arbitrary code. The Microsoft Security Response Center is investigating this issue as a top priority."
Microsoft hasn't officially recognized the security vulnerability, Blake said. Typically, Microsoft recognizes software bugs and releases patches at the same time, Blake said. In this case, the PPTP technology can't be fixed overnight.
"We're talking about a pretty complex set of code" that no one else has access to, Blake said.
Eighteen hours after the Internet security bulletin, BindView released free software for existing customers that checks networks and informs IT pros which servers are at risk.
PPTP is a networking technology available in NT 4.0, Windows 2000 and Windows XP that allows users to remotely log onto virtual private networks. Specifically, PPTP allows two Internet hosts to communicate over a secure channel by providing security features, including authentication and encryption.
The vulnerability affects all Microsoft Windows 2000 and Windows XP systems running the PPTP Server or PPTP Client. At press time, it was unknown whether NT systems are vulnerable.
FOR MORE INFORMATION