Microsoft security fix blocked VPN connections

A software patch that fixes a security flaw in the Remote Access Service (RAS) of several Windows versions has a bug that can stop users from making virtual private network (VPN) connections, Microsoft Corp. said.

The original patch was released on June 12 to fix a flaw in the phone book of RAS, a standard part of Windows NT 4.0, Windows 2000 and Windows XP. Microsoft released a revised version of the patch on Tuesday, advising customers who applied the first patch to apply the new one.

Microsoft pulled the first patch from the Windows Update service on Monday. The new patch will soon be made available through that service and is available now on TechNet, the Redmond, Washington, software company said.

Users had complained about the patch’s side effects. A system administrator at a university in California, in a posting to the NTBugtraq mailing list on June 17, wrote that his users could “no longer connect to any VPN” after applying the patch. He alerted Microsoft, which added a warning to its security bulletin three days later.

RAS is used for dial-up connections. A buffer overrun flaw exists in some versions of the RAS phone book, which is used to store information for connecting to remote systems. An attacker exploiting the flaw could gain full control over the machine or cause it to fail, according to Microsoft.

To carry out an attack, an attacker first has to change a RAS setting on the affected system, before connecting to the system using RAS. If the target system’s settings restrict user access, it will not be at risk, Microsoft said.

The original patch eliminated the vulnerability as it was supposed to, but also “introduced a bug that could have the effect of requiring administrative privileges” to establish VPN connections, according to Microsoft in its revised bulletin.

Microsoft rates the issue “critical” and urges all users to apply the new patch. The security bulletin can be found at:

http://www.microsoft.com/technet/security/bulletin/MS02-029.asp

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now