Citrix client lays open security hole

The US Department of Homeland Security (DHS) has warned of an easily exploitable security bug in Citrix's Presentation Server Client that could leave users open to attack by malicious websites.

Security firm Secunia said the bug is "highly critical" because of its wide distribution and ease of exploitation.

Citrix Presentation Server allows companies to make applications available for use from central servers. The problem is with a feature allowing the Citrix client to connect to the server via a proxy server using the Independent Computing Architecture (ICA) protocol, according to an advisory from US-CERT, part of the DHS.

The US government organisation said the bug could allow an attacker to take over a system if affected users visit a specially crafted website.

"An unspecified implementation flaw in this functionality may allow an attacker to execute arbitrary code in the context of the client process," the advisory said.

Citrix said the bug was present in versions 9.230 and earlier of the software. "This vulnerability is likely to be exploitable in most client deployments," the company said in a security bulletin. The bug was reported to Citrix by Juniper Networks.

The simplest solution, the company said, is to upgrade to version 10.0 of the client, which contains a fix. Downloads are available from Citrix's website.

If users can't upgrade, the situation is trickier. Citrix said it has made available a "limited release" version of the older client - version 9.237 - containing a "temporary work-around until version 10.0 can be deployed".

More information on the temporary fix is available from Citrix's support site.