Citrix: Presentation Server Flaws No Cause For Alarm

Presentation Server gives remote users secure access to applications on the network by making them accessible behind the firewall and encrypting data between the server and client.

The four vulnerabilities weren't related and were discovered in different components of the Presentation Server software, said Kurt Roemer, chief security strategist at Fort Lauderdale, Fla.-based Citrix.

For example, a buffer overflow flaw discovered in January in the software's print provider component, which lets users print to local printers from published applications, also affected several other vendors, Roemer said.

The print provider issue underscores the fact that virtual environments are complex and require many different vendors to work together on security issues that arise, he added.

"Lots of times when you are integrating with other operating systems and modules, just the integration can create vulnerabilities. We have to look at the security of everything we interface with, and make sure information is shared between partners ahead of time to react quickly and proactively when security issues arise," he said.

James Candelaria, vice president of engineering at The Admins, a Madison, N.J.-based solution provider and Citrix partner, said more vulnerabilities are being found in Presentation Server because attackers are looking deeper into the network stack for new attack vectors, and they're starting to go after the low-hanging fruit of application layer vulnerabilities.

Although security risks are less prevalent in Presentation Server than in the underlying Windows platform, because Presentation Server is a forward facing service, additional care needs to be taken when securing it, Candelaria said.

"Securing Presentation Server is more challenging than securing Windows because application virtualization software needs to be exposed to the outside, which heightens the risk," said Candelaria.

Presentation Server is no more susceptible to security vulnerabilities than any other software, but the product's popularity could eventually make it an attractive target for attackers, said Mike Rothman, president of Security Incite, an Atlanta-based consulting firm.

"The possibility that you can knock down 15-20 desktops with one fell swoop makes the bad guys more efficient, but it's not a problem on the level of critical data center infrastructure," Rothman said.

Citrix has been improving the security of Presentation Server with each new release -- including 4.5, which began shipping March 1 -- by running services with fewer security privileges. Internally, Citrix is working to eliminate buffer overflows and other security issues through an expanded program of secure development training, integrated code review and assessment, according to Roemer.

"These best practices help contain the impact of vulnerabilities in all applications -- not just the components that Citrix provides," Roemer said.