Microsoft advises plugging Gopher hole

As previously reported, the exploit uses Gopher, an all-but-obsolete Internet protocol for fetching data from remote computers. Finnish security company Online Solutions uncovered the vulnerability May 20 and alerted the public last week.

But the threat is much worse than first revealed by Online Solutions. The hole also exists in some Microsoft server products. Microsoft deemed the threat critical for client computers running Internet Explorer 5.01, 5.5 and 6.0 and for Internet or intranet servers running Proxy Server 2.0 or ISA Server 2000.

In the service bulletin, issued late Tuesday, Microsoft noted that older versions of its server products could be vulnerable, but the company said it didn't do any testing "because previous versions are no longer supported." Likewise, older Internet Explorer versions could be vulnerable. Microsoft does not offer fixes for these older versions.

The problem results from an "unchecked buffer in the code which handles information returned from a Gopher server," Microsoft explained in the security bulletin.

Gopher has largely disappeared from use, replaced for the most part by the HTTP protocol accessed using Web browsers.

But IE still supports the archaic protocol, which can be used to exploit a buffer overflow bug and expose a client computer to a server running malicious code. A hacker could then seize control of the client computer, with full ability to access data, copy files or install programs, among other tasks.

The hole is especially problematic because an IE user doesn't have to connect to a Gopher server; code inserted in a Web page or an HTML e-mail could redirect the person's computer to such a server.

With server products, the impact could be more serious, with the attacker able to take complete control over the server. The hacker could reformat the hard drive or create new administrator accounts for accessing the server as a seemingly legitimate user, with full access to features or network services.

Existing security settings could thwart or diminish the threat, however, such as any setting that blocks Gopher. "If a user were prevented by security policies from deleting files or changing security settings, the attacker's code would also be prevented from those actions," the bulletin states.

Still, even the strictest security settings might not be enough to prevent an attack. Microsoft noted, for example, that people with Outlook e-mail settings set to the "Restricted Zone" would still be vulnerable via HTML e-mail.

Microsoft has yet to issue patches for the security hole but is offering instructions for a temporary fix to the problem. One solution for servers is to block access to TCP port 70, which prevents Gopher protocol access.

IE users must take the more cumbersome approach of manually blocking Gopher access. One can do this by going to the Tools menu and accessing the "LAN Settings" under "Connections." Uncheck the "automatically detect settings" box and check the "use Proxy server for your LAN" box. Under the "Advanced Tab," make sure the "use the same proxy server for all protocols" box is unchecked. Finally, go to the Gopher text field and enter "localhost" and "1" in the port setting box.

Microsoft offers further instructions about the temporary fixes in the June 11 security bulletin.

This newly reported vulnerability is just one in a recent string of Microsoft security problems, despite increased emphasis on security following a companywide memo from Chairman Bill Gates in January.

Last week, Microsoft issued a security alert for ASP.NET, a collection of software for building Web-based applications. Other recent Microsoft security glitches include a pair of problems affecting how IE handles cookie files; an IE cross-scripting bug; a buffer overflow exposing MSN Messenger and Windows Messenger to hackers; and a potential breach of MSN Messenger's chat features; among others.