Hacking expert warns of 'end of the world' VPN flaw

"Getting into your web server is bad, but it's not the end of the world. But getting in through your VPN..."

Security experts have warned that a suspected vulnerability in Microsoft's popular virtual private networking application could leave corporate intranets open to serious attack. An advisory posted by German security firm Phion Information Technologies said the vulnerability affects the point-to-point tunnelling protocol (PPTP) commonly used in the VPN software bundled in Microsoft's Windows 2000 and XP operating systems for servers and PCs. Marc Maiffret, chief hacking officer for eEye Digital Security, said: "It's a gaping hole through the firewall. Getting into your web server is bad, but it's not the end of the world. But getting in through your VPN? There's very little security on the inside of the network." Companies often use Microsoft's VPN to let employees log into a corporate network remotely via an encrypted channel. Because of the implied security a VPN is supposed to provide, many companies let users connect directly into an internal network - a practise that could make this flaw a valuable one for internet attackers. Companies frequently install most security protections on the perimeter of their network, looking outward for potential threats. Any flaw that could let an attacker into the middle of a network could make a company easy prey. Christopher Budd, security program manager for Microsoft, stressed that the software giant is continuing to work on the problem and will have a definitive answer soon. "This is top priority," he said. "We are proceeding with all due speed." Robert Lemos writes for News.com