BlackICE slips up over serious security risk

Modified ping flood attack

Security tools vendor ISS is warning of a potential denial of service risk to its range of desktop firewall/intrusion protection systems.

Crackers might be able to crash or disrupt affected versions of its BlackICE Defender and BlackICE Agent desktop products, and affected versions of RealSecure Server Sensor using a modified ping flood attack, it has been discovered.

The vulnerability could allow attackers to execute arbitrary code (which could be a virus or Trojan horse backdoor) on targeted computers, ISS warns.

A flaw in routines used for capturing transmitted packets is behind the problem.

Most corporate firewalls already block ICMP-based attacks (like ping flood) from external IP addresses, so the risk isn't that serious for enterprise users. That said, the vulnerability stills counts as an embarrassing oversight by ISS, especially after it made considerable play in highlighting a lesser DoS risk affecting its open source competitor, Snort, less than a fortnight ago.

ISS has developed and is testing fixes for the vulnerability. Details of what patches are available now, and details of suggested workarounds (which involve blocking ICMP packets) can be found here. ®

Related stories:
Stealth encoding bypasses IDS protection
Denial of service warning for network security tool
IDS users swamped with false alerts
Network ICE CTO responds to further BlackICE criticisms
ISS to acquire Network ICE
Different approach to intrusion detection touted
Carnivore substitute keeps Feds honest
Network Ice posts do-it-yourself Carnivore kit

Sponsored: How to determine if cloud backup is right for your servers