Microsoft warns of Windows VPN software flaws

Windows 2000 and Windows XP servers can be attacked through the software often used to create secure connections to remote workers, Microsoft said on Wednesday.

A buffer overflow in the implementation of Point to Point Tunnelling Protocol (PPTP) in the two operating systems allows attackers to cause any Windows 2000 or Windows XP servers to crash.

Microsoft also warned of a bug in Windows 2000 that could allow an attacker to sabotage the system via a Trojan horse.

The PPTP bug, which received a "critical" rating from Microsoft, affects both servers and clients, but the client attack is more difficult to carry out. Microsoft said that attackers could feed specially-formed control data to the part of the PPTP software that connects and disconnects PPTP sessions, which would corrupt the system core memory, causing the system to fail. Any server that offers PPTP, or a workstation manually configured to offer PPTP, is affected.

PPTP client systems can also be attacked using the exploit, but only during an active session, Microsoft said.

The standard is used to create secure connections over insecure networks such as the internet. These connections, known as virtual private networks (VPNs), are commonly used by remote workers to connect to the corporate network. Windows 2000 Internet servers are most likely to be affected by the bug, Microsoft said. It does not affect Windows 98, Windows 98SE, Windows ME or Windows NT 4.0.

Users and administrators are recommended to install a patch, found with the security bulletin on Microsoft's TechNet website.

The other bug affects Windows 2000 workstations and a select few Windows XP workstations, and allows a malicious user on a multi-user system to implant a Trojan horse that could be automatically executed by another unsuspecting user on the same machine. The Trojan horse would execute with the privileges of the user who executed it, allowing it to alter files, erase hard drives and the like.

The Trojan bug is possible because of the way Windows 2000 searches for programs to execute. In some cases, when a program is invoked, the operating system looks first in the system root directory (typically C:\), which is by default open to all users. If an attacker created a Trojan horse with the same name as a frequently-used program, the user could invoke the Trojan instead of the legitimate program.

This attack could most easily be carried out if, at log on, Windows was set up to automatically invoke certain programs, and the attacker knew the names of those programs. Otherwise, the attacker would have to convince another user to invoke a program using Windows' Start/Run menu.

Workstations that aren't shared would not be vulnerable, because the attacker must have privileges to log onto the machine. Servers are at no risk and Remote Terminal server sessions are also set up in such a way that the attack would not work.

There is no patch for this bug, but Microsoft recommends that system administrators review the permissions for the system root directory.

With the two new warnings, Microsoft has issued 64 alerts this year. Microsoft earlier this year launched a drive to make its software more secure.

Matthew Broersma writes for ZDNet UK