Windows NT in Net alert

Microsoft has admitted there are security flaws in its Windows NT and 95-based virtual private network software on the Internet.

The weaknesses in the software giant?s version of point-to-point tunnelling protocol (PPTP) was uncovered last week by US security consultant Counterpane Systems.

?Microsoft?s implementation (of PPTP) is seriously flawed on several levels,? said Counterpane?s president Bruce Schneier. He recommends that users avoid it completely. He added that the flaws were ?kindergarten cryptographer mistakes?.

Schneier and hacker Peter Mudge reported five major problems. These included weak algorithms allowing eavesdroppers to obtain user passwords, design flaws allowing a hacker to crash the PPTP server, and implementation mistakes allowing recovery of encrypted data.

Schneier and Mudge stressed that the problems were not with PPTP, but with Microsoft?s implementation.

Microsoft admits there are problems, saying that patches to fix some of them were already available, and others were due to follow.

In a statement on its Web site, the vendor said it had not been contacted by any customers whose Windows-based virtual private networks had been compromised.

Microsoft UK?s Windows marketing product manager Nicholas McGrath added: ?We take security incredibly seriously.?

Schneier claims the problem is not patchable, and adds that Microsoft should rebuild its PPTP implementation completely.

Robin Bloor, chief executive of analyst Bloor Research, said he was not surprised by the revelation. ?Windows NT was never designed for the Internet. Users should go for something proven, such as Unix or AS/400. Microsoft?s marketing doesn?t reflect reality, but that?s hardly new.?