Slashdot Mirror
Microsoft PPTP Buffer Overflow; VPNs Vulnerable
An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
Thank goodness they will be keeping this information from the people who will do bad things with it. I'm sure that the script kiddies would never share this information with each other! Besides the nice people who are installing these systems really should be on a "need to know" basis anyways....
Screw the end user.
In a stunning revalation, a string of recent articles indexed by Slashdot.org, an internet news resource for the technically inclined, declares that software is not perfect.
"For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."
Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.
"If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"
One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."
paintball
Who still runs PPTP? It was found to be under-secured a while back. Everyone should have moved on to a more standard and secure technology by now. PPTP was good back when VPNs were new and hard to set up, but that time is long gone.
One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.
Sure, sloppy code and security holes are as bad as watered down drinks at a topless bar, but don't we get paid to stop crap like that from being perpetrated on our networks? Microsoft makes me look like a hero as far as security goes.
Yes, Mr. Customer, I did charge you quite a bit, but I have enclosed a listing of the bugs and security flaws that I patched while I was here. These are things you usually never know about until you get burned by them, but I feel I owe it to you to stay on top of them and help you stay current...
Microsoft+Bugs+Patches=Value added for me
Keep up the good work, Bill!
Your sarcasm is noted.
I write code and I've let more bugs out than I could possibly remember. They happen, it's part of the game. But two things make this type of thing mock-worthy. 1) MS has more net worth than most countries. They need to be held to a standard that their size and resources dictates. 2) Bill has quite publicly stated that security is now their number one priority. I for one have not seen any improvement in that department.
-B