Security

Patch in for Microsoft server spoofing flaw

Attackers could use hole in small-business software to trick personal information out of people.

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos
CNET News.com

A flaw in Microsoft's security server software could allow an attacker to fool business users into thinking that malicious content can be trusted, the software giant warned Tuesday.

The vulnerability affects Microsoft's Internet Security and Acceleration (ISA) Server 2000 software, which acts as a firewall, a content filter and a Web content cache. The software is sold both as a standalone product and included in Microsoft's Small Business Server package.

The company issued a patch for the vulnerability, which is also found in Microsoft Proxy Server 2.0, in its monthly advisory on Tuesday. It ranks the flaw as "important," its second-highest rating.

"Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example, a malicious Web site," Microsoft said in its latest advisory.

The flaw affects one function of Microsoft's ISA server: Its ability to cache Web content to speed access to frequently visited Web sites. Large graphics and files from sites visited by one employee at a company are held in the cache and delivered up when another worker visits the same site. The ISA flaw enables an attacker to insert malicious content, such a spoofed form, in the cache and relabel it as content from a banking site, for example.

Security company Symantec warned companies that have the ISA software that the flaw could be used to gather sensitive information from users. After enticing a user to a malicious Web site, the attacker could create false forms that appear to come from valid domains.

To guard against the threat, Symantec advised people not to click on links that lead to unknown Web sites.

"With the increasing prevalence of phishing attacks, this vulnerability may provide yet another platform for the gathering of identity information," Oliver Friedrichs, senior manager at Symantec Security Response, said in a statement.

Tuesday's advisory is part of a tradition of monthly alerts that Microsoft started a year ago. This month, only the single ISA Server flaw was revealed. That's a significant departure—in October, for example, the software giant announced more than 20 flaws on the same day.

Microsoft also has started giving the public advance notice of coming patches, announcing that it would release some details of each planned patch on the weekend before the fix is released.

The flaw does not affect Microsoft ISA Server 2004, the company said. With ISA Server 2000 and Proxy Server 2.0, Microsoft advised system administrators to apply the patch or to set the DNS (domain name system) cache on affected systems to zero, which would prevent the flaw from being exploited.

Editor's Picks

Free Newsletters, In your Inbox