Microsoft finds 'critical' flaw in Phonebook

A piece of software used in creating dial-up connections in Windows XP and other versions of Windows could let attackers shut down or gain control of a PC

Microsoft has alerted users to a "critical" flaw in the Remote Access Service (RAS) Phonebook that could cause a system failure, or allow attackers to run code on vulnerable systems with LocalSystem privileges.

According to a security alert issued by Australian computer security company itSecure, RAS provides dial-up connections between computers and networks over phone lines and the RAS phonebook is used to store information about telephone numbers, security, and network settings used to dial-up remote systems.

The flaw in this instance is a phonebook value that is not properly checked and susceptible to a buffer overrun.

Affected software includes Microsoft Windows NT 4.0, Microsoft NT 4.0 Terminal Server Edition, Windows 2000, Windows XP, Routing and Remote Access Server (RRAS), all of which include a RAS phonebook.

The software maker has issued a critical security bulletin and has released patches to fix the vulnerability.

According to itSecure chief security officer Raul Wegat, anyone who uses their computer to connect to a network such as the Internet, a VPN, office network via dialup, for example, would be vulnerable. But he added: "We're currently not aware of any exploit tools in circulation."

ItSecure has tagged the vulnerability as "very severe".

"We rate software vulnerabilities based the vendors rating as well as our evaluation of the impact the vulnerability may have. We often rate Alerts higher than vendors due to vendors' propensity to 'under-rate' the problem," Wegat said.

The world's dominant software vendor posted two other technical advisories on Wednesday night. The first alerts users to a vulnerability in Microsoft SQLXML that could allow attackers to execute code of their choice on the Microsoft Internet Information Services (IIS) Server, or execute a script on a user's computer with a higher privilege than is allowed.

The other alert concerns a new vulnerability in IIS Servers that could allow an attacker to execute code of his or her choice on the victim server. Both carry a "moderate" itSecure risk assessment.

"The main concern with these three alerts, as with all Microsoft vulnerabilities, is that with the prolific use of Microsoft products their software development process, particularly testing, needs to improve," Wegat said.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.