A software patch that fixes a security flaw in the Remote Access Service (RAS) of several Windows versions has a bug that can stop users from making virtual private network (VPN) connections, Microsoft Corp. said.
The original patch was released on June 12 to fix a flaw in the phone book of RAS, a standard part of Windows NT 4.0, Windows 2000 and Windows XP. Microsoft released a revised version of the patch on Tuesday, advising customers who applied the first patch to apply the new one.
Microsoft pulled the first patch from the Windows Update service on Monday. The new patch will soon be made available through that service and is available now on TechNet, the Redmond, Washington, software company said.
Users had complained about the patch’s side effects. A system administrator at a university in California, in a posting to the NTBugtraq mailing list on June 17, wrote that his users could “no longer connect to any VPN” after applying the patch. He alerted Microsoft, which added a warning to its security bulletin three days later.
RAS is used for dial-up connections. A buffer overrun flaw exists in some versions of the RAS phone book, which is used to store information for connecting to remote systems. An attacker exploiting the flaw could gain full control over the machine or cause it to fail, according to Microsoft.
To carry out an attack, an attacker first has to change a RAS setting on the affected system, before connecting to the system using RAS. If the target system’s settings restrict user access, it will not be at risk, Microsoft said.
The original patch eliminated the vulnerability as it was supposed to, but also “introduced a bug that could have the effect of requiring administrative privileges” to establish VPN connections, according to Microsoft in its revised bulletin.
Microsoft rates the issue “critical” and urges all users to apply the new patch. The security bulletin can be found at:
http://www.microsoft.com/technet/security/bulletin/MS02-029.asp