Calyptix Security - Press Releases

CHARLOTTE, NC – June 26, 2007: Internet security firm Calyptix Security has produced research exposing vulnerabilities within security devices of multiple vendors including Redwood City, CA-based Check Point Software Technologies. Check Point immediately responded to the report and issued a June 26, 2007 patch to eliminate the noted vulnerability. To date, Calyptix Security has not received technical responses from any other vendors that it has notified.

The cross-site request forgery vulnerability verified by Calyptix Security impacts firewalls, unified threat management appliances, routers, storage systems and other devices that are managed through a web browser interface, such as Internet Explorer, Firefox or Safari. Versions prior to 7.0.45x of the Safe@Office Unified Threat Management device were vulnerable.

When the user is logged into a vulnerable device and views a hostile web page crafted by an attacker, the attacker can run commands on the device as if they were done by the user. On the products that Calyptix has tested, these malicious actions include creating new VPN tunnels, adding users, changing passwords, and allowing remote administration – all of which can be done without the user's knowledge.

"We rated this vendor's specific vulnerability as a medium threat level," said said Calyptix security expert Dan Weber. "For other vendors we've contacted the threat level ranges from low to high, depending upon the implementation by that vendor and how the device is typically used. The potential vulnerability across all notified vendors may place more than one million organizations and the information contained in their networks at risk of exploitation by malicious attacks."

Calyptix Security's research and development is directed by internationally renowned authorities in Internet security that have provided cutting edge security knowledge, development and advice to governmental agencies, military branches, financial institutions, large commercial enterprises and academic institutions.

Official advisory information reported by Calyptix Security is posted at http://labs.calyptix.com/CX-2007-04.php along with the security team's advice for reducing exposure to risk when using potentially vulnerable devices. Given the potential widespread prevalence of the vulnerability in numerous devices, Calyptix Security strongly urges users of these appliances to follow the practical guidelines reflected in the advisory, especially if their vendors have not confirmed or patched the security of their devices for this vulnerability.

Calyptix has leveraged its expertise to develop effective and affordable protection for the small to medium sized business sector that is easy to use. Calyptix Security's AccessEnforcer proved to be immune to the aforementioned threat. More information is available on the company's web site.

About Calyptix Security Corporation
Calyptix Security Corporation was founded in 2002 as a developer of all-in-one security solutions for small and medium businesses. AccessEnforcer™, the company's premier product, is an all-in-one security appliance that deploys DyVax™, a proprietary algorithm and inspection engine that has been effectively deployed to dynamically filter email traffic from true zero-day threats without reliance on signatures. DyVax has proven more successful than leading antivirus solutions. For more information, please visit www.calyptix.com.