Since last November, Citrix Systems has fixed four serious vulnerabilities that security researchers have uncovered its popular Presentation Server software. Although the vendor rated all four as serious, Citrix says the security of its flagship product isn't a problem.
Presentation Server gives remote users secure access to applications on the network by making them accessible behind the firewall and encrypting data between the server and client.
The four vulnerabilities weren't related and were discovered in different components of the Presentation Server software, said Kurt Roemer, chief security strategist at Fort Lauderdale, Fla.-based Citrix.
For example, a buffer overflow flaw discovered in January in the software's print provider component, which lets users print to local printers from published applications, also affected several other vendors, Roemer said.
The print provider issue underscores the fact that virtual environments are complex and require many different vendors to work together on security issues that arise, he added.
"Lots of times when you are integrating with other operating systems and modules, just the integration can create vulnerabilities. We have to look at the security of everything we interface with, and make sure information is shared between partners ahead of time to react quickly and proactively when security issues arise," he said.
James Candelaria, vice president of engineering at The Admins, a Madison, N.J.-based solution provider and Citrix partner, said more vulnerabilities are being found in Presentation Server because attackers are looking deeper into the network stack for new attack vectors, and they're starting to go after the low-hanging fruit of application layer vulnerabilities.
Although security risks are less prevalent in Presentation Server than in the underlying Windows platform, because Presentation Server is a forward facing service, additional care needs to be taken when securing it, Candelaria said.
"Securing Presentation Server is more challenging than securing Windows because application virtualization software needs to be exposed to the outside, which heightens the risk," said Candelaria.
Presentation Server is no more susceptible to security vulnerabilities than any other software, but the product's popularity could eventually make it an attractive target for attackers, said Mike Rothman, president of Security Incite, an Atlanta-based consulting firm.
"The possibility that you can knock down 15-20 desktops with one fell swoop makes the bad guys more efficient, but it's not a problem on the level of critical data center infrastructure," Rothman said.
Citrix has been improving the security of Presentation Server with each new release -- including 4.5, which began shipping March 1 -- by running services with fewer security privileges. Internally, Citrix is working to eliminate buffer overflows and other security issues through an expanded program of secure development training, integrated code review and assessment, according to Roemer.
"These best practices help contain the impact of vulnerabilities in all applications -- not just the components that Citrix provides," Roemer said.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Citrix Warns Of New Presentation Server Bug
- Citrix Updates Presentation Server, Kills Access Suite
- Google Wallet Security Questioned
- Microsoft Shows Its Love In Valentine's Day Patch Release
- OCZ Acquires Sanrad, Targets Flash Storage For Virtualized Data Centers
- Denali Deploys Virtual Desktops To Give Doctors More Time With Patients
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
