A denial of service attack can be initiated through a flaw in Microsoft’s Internet Security and Acceleration (ISA) Server Web Publishing feature. The problem occurs because Web requests larger than a particular size aren’t handled properly by the ISA Server Web Proxy service. Such requests can cause an access violation, crashing the Web Proxy service and causing a denial of service event until the service is restarted.

See the Microsoft Security Bulletin MS01-021 for further information. This bulletin has already been revised once to address Web vulnerability questions not recognized in the original bulletin.

Under most conditions, a user on the Internet can’t exploit the vulnerability because ISA Server will ignore external requests unless the Web Publishing feature is enabled. However, if an external attacker can persuade an internal user to visit a Web page or open an HTML e-mail, it could be possible to embed a URL that exploits the vulnerability from within the network.

Level of risk—moderate to high
If you don’t have the Web Publishing Feature enabled, the risk is moderate. Internal users can always exploit this vulnerability, but an external Internet attack can’t usually proceed unless the Web Publishing feature is operating. It isn’t enabled by default.

However, on systems with this feature enabled, the risk level is high. The risk is also high if there isn’t a strong security policy in place that prevents users from opening HTML e-mails or visiting questionable Web sites.

This is strictly a denial of service threat that can block Internet access by crashing the Web Proxy service. The vulnerability doesn’t allow the attacker to bypass any security or firewall controls and actually penetrate the system. Any other ISA services should continue to function properly during the attack. Someone inside the firewall can exploit this at any time until the patch is applied because the Web Proxy Service runs by default.

Microsoft has tested only ISA Server 2000 and Proxy Server 2.0, and this patch applies to both.

If this vulnerability is exploited, restarting the Web proxy service can restore normal functioning. There is no need to reboot the server, and no payload can be planted in the system through this vulnerability.

The permanent fix/prevention is to install the patch immediately. You can also disable the Web Publishing feature, but this only protects against outside threats. If internal security is a concern, you need to apply the patch, which fixes the way the Web proxy service deals with requests. Click here to download the Microsoft ISA Server 2000 patch.

Update on IE cache problem
Here’s a follow-up on our April 2 Locksmith column, ”IE exposes cache location to hackers,” which concerned Microsoft Security Bulletin MS01-015. A problem with the original patch has necessitated a revision.

Version 2.0 of the bulletin, dated April 20, states:

“Reason for Revision:

“A regression was found in the previously released Windows Script Host patch referenced in the first version of this security bulletin. We have updated and rereleased the Windows Script Host patch and have updated the bulletin accordingly. The rerelease only applies to changes with the Windows Script Host patches available in the bulletin. No changes have been made to the originally released Internet Explorer patches.

“Customers who applied the Windows Script Host patch when this bulletin was first released should download and apply the updated Windows Script Host patch referenced in the bulletin. Customers who did not apply the Windows Script Host when this bulletin was first released are encouraged to apply the Windows Script Host patch listed in the bulletin.”

Are you going to patch your ISA Server or Proxy Server?

We look forward to getting your input and hearing about your experiences regarding this important topic. Join the discussion below or send the editor an e-mail.