Santa Clara, Calif. - May 7, 2001 - In an announcement released last week, Microsoft strongly urged network administrators using IIS 5.0 Web Servers running on the Windows 2000 Server series to patch a newly discovered buffer overflow security flaw. Web-based printer support enabled by default in IIS can be used to overload the buffer to exploit an automatic restart feature in Windows 2000 from which a hacker can easily gain remote access to the server. An estimated five million Web sites currently running Microsoft IIS need to install the patch.

By its very nature, the large amount of code generated by Microsoft contains flaws that leave Web applications open to attack. Typically, new holes are discovered by a hacker, the bug is widely publicized and then the vendor posts a fix to its Web site. The key problem with patches is patch latency, the delay between the software supplier creating a patch and the actual deployment throughout an affected organization.

Patches for flaws are distributed almost daily but the problem is a perpetual cycle of reactive quick fixes rather than a truly comprehensive security defense. "With over 50% of commercial Web sites using Microsoft's IIS Web Servers, one security flaw like this clearly exposes millions of businesses and their data on the Web," said Izhar Bar-Gad, CTO of Sanctum, Inc. "It is impossible to stay in front of these security vulnerabilities with a manual solution. Sanctum's AppShield is an automated security solution that protects a company's mission critical information from any type of application manipulation including hacks such as buffer overflow, cross-scripting and parameter tampering."

WHO:	Izhar Bar-Gad, Chief Technology Officer, Sanctum, Inc. (Santa Clara, Calif.)
WHAT:	Expert commentary on hacking and common Web application vulnerabilities
WHERE:	Bar-Gad is available by phone or in person in the San Francisco Bay-Area

Izhar Bar-Gad is the Chief Technology Officer for Sanctum. Prior to joining the Sanctum team, he was a project leader for Amdocs in Israel for both the Infrastructure and Advanced Research groups. During his military service in the Israeli Defense Forces, Bar-Gad led the development of a large software project involving communications and information security. Mr. Bar-Gad holds a Bachelor of Science degree from Tel-Aviv University, and a Masters degree from the Hebrew University, Jerusalem. He is currently a Ph.D. candidate in "Neural Computation" at Hebrew University. For more information, contact Drea Garrison or Tara Dugan, Schwartz Communications, Inc. at 415-512-0770.

About Sanctum, Inc. (www.SanctumInc.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Sanctum, Inc. pioneered the market for Web application security and control software. Sanctum software works autonomously and continuously to monitor how individuals interact with Web applications. By detecting and defending against any unauthorized behavior, Sanctum prevents application perversion, even if a site has unknown security holes or flaws. Sanctum's customers include industry leaders in banking, retailing, finance, government and healthcare. Privately held, Sanctum is funded by blue-chip venture capital firms and industry leaders including Sequoia Capital, Walden, Sprout Group and Intel Corporation. More information about Sanctum may be obtained by visiting the Company's Web site www.SanctumInc.com or by calling the Company directly at (408) 352-2000.

For Immediate Release
Contact:

Diane Fraiman
Sanctum, Inc.
(408) 352-2000
[email protected]

Drea Garrison or Tara Dugan
Schwartz Communications, Inc.
(415) 512-0770
[email protected]