Unchecked Buffer in Microsoft Gopher Protocol Handler

Reported June 11, 2002, by Microsoft.

VERSION AFFECTED

 

·         Microsoft Internet Explorer (All versions)

·         Microsoft Proxy 2.0

·         Microsoft Internet Security and Acceleration (ISA) Server 2000

 

DESCRIPTION

A buffer overrun condition exists in Microsoft’s implementation of the gopher protocol in IE, Proxy 2.0 and ISA Server 2000 that can lead to remote compromise of the affected system. This vulnerability stems from an unchecked buffer in the code that handles responses from gopher servers.

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS02-027 (Unchecked Buffer in Gopher Protocol Handler Can Run Code of Attacker's Choice) to address this vulnerability. Microsoft is currently developing a patch, but as a workaround, affected users should block the gopher protocol at the perimeter.

 

CREDIT
Discovered by Jouko Pynnonen.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish