BlackICE slips up over serious security risk [printer-friendly] • The Register

Original URL: http://www.theregister.co.uk/2002/02/11/blackice_slips_up_over_serious/

BlackICE slips up over serious security risk

Modified ping flood attack

Posted in Business, 11th February 2002 13:05 GMT

Free whitepaper – Optimizing the data center for cost and efficiency

Security tools vendor ISS is warning of a potential denial of service risk to its range of desktop firewall/intrusion protection systems.

Crackers might be able to crash or disrupt affected versions of its BlackICE Defender and BlackICE Agent desktop products, and affected versions of RealSecure Server Sensor using a modified ping flood attack, it has been discovered.

The vulnerability could allow attackers to execute arbitrary code (which could be a virus or Trojan horse backdoor) on targeted computers, ISS warns (http://www.iss.net/security_center/alerts/advise109.php).

A flaw in routines used for capturing transmitted packets is behind the problem.

Most corporate firewalls already block ICMP-based attacks (like ping flood) from external IP addresses, so the risk isn't that serious for enterprise users. That said, the vulnerability stills counts as an embarrassing oversight by ISS, especially after it made considerable play in highlighting a lesser DoS risk affecting its open source competitor, Snort, (http://www.iss.net/security_center/alerts/advise108.php) less than a fortnight ago.

ISS has developed and is testing fixes for the vulnerability. Details of what patches are available now, and details of suggested workarounds (which involve blocking ICMP packets) can be found here (http://www.iss.net/support/consumer/BI_downloads.php). ®

Related stories:
Stealth encoding bypasses IDS protection (http://www.theregister.co.uk/content/archive/21573.html)
Denial of service warning for network security tool (http://www.theregister.co.uk/content/archive/17660.html)
IDS users swamped with false alerts (http://www.theregister.co.uk/content/archive/23420.html)
Network ICE CTO responds to further BlackICE criticisms (http://www.theregister.co.uk/content/archive/19507.html)
ISS to acquire Network ICE (http://www.theregister.co.uk/content/archive/18647.html)
Different approach to intrusion detection touted (http://www.theregister.co.uk/content/archive/17451.html)
Carnivore substitute keeps Feds honest (http://www.theregister.co.uk/content/archive/21992.html)
Network Ice posts do-it-yourself Carnivore kit (http://www.theregister.co.uk/content/archive/13412.html)