Simple attack hurts Microsoft server software

A Microsoft Windows 2000 server software package can be crashed by sending it a comparatively simple request for a Web page, a security firm has discovered.

SecureXpert Labs reported the vulnerability in Microsoft's Internet Security and Accelerator (ISA) software, which is used to protect internal networks from outside attackers and to bridge internal networks with the public Internet.

Microsoft acknowledged the problem Monday and issued a patch.

An attacker can take advantage of the vulnerability by sending the server a request to view a Web page with an unusually large address--for example, one with the letter A repeated 3,000 times, SecureXpert Labs said. Sending such a request will prevent the ISA software from letting computers inside its network view outside Web pages or letting outside computers view inside pages.

While the vulnerability wouldn't permit an attacker to take over a company's server, it could be used to make a Web page inaccessible to the public, Microsoft said.

In the array of possible methods to attack a server, this type is very simple and easily launched.

Though analysts agree the newer Windows 2000 operating system is more secure than its predecessors, Microsoft still faces a host of security problems. For example, future versions of its Outlook e-mail software will ban many file types in an effort to prevent the spread of viruses that can reproduce quickly because of tight integration between different Microsoft products.

The ISA software must be restarted to restore the service, but the server doesn't need to be rebooted, Microsoft said.