Microsoft has released Service Pack 2 for Internet Security and Acceleration (ISA)
Server 2000. This software update definitely increases the security and
stability of ISA, and administrators who manage ISA servers need to give it a
close look.

Details

Going almost unnoticed, the release of Service Pack 2 for
ISA Server 2000 comes in English, French, Japanese, Spanish, and German. ISA
SP2 addresses the problems in the following Microsoft Knowledge Base articles:

    313318:
    “Cannot relay mail through ISA Server if authentication is required”

    317122:
    “Web proxy sends TCP reset instead of only closing session”

    317822:
    “Problems with Web browser if ISA Server 2000 is chained to an upstream
    Web proxy server”

    323889:
    “Unchecked buffer in Gopher protocol handler can run code of attacker’s
    choice”

    324642:
    “Macintosh clients who use MAPI cannot connect to Exchange 2000 with ISA
    Server”

    331062:
    “Running ISA Server on Windows Server 2003”

    331068:
    “ISA firewall causes handle leak in LSASS”

    331069:
    “Hotfix to permit URL path redirection in Web publishing rules”

    331070:
    “Authentication does not succeed when the user name contains a space”

    810559:
    “Slow responses and failures when you use server publishing UDP protocols”

    813864:
    “Site and content rules do not filter based on file name extensions”

    816456:
    “Flaw in ISA Server error pages could allow cross-site scripting attack”

    816828:
    “‘Permission Denied’ error message when you use rlogin to log on to a
    server on the Internet”

    818821:
    “ISA firewall service stops responding on DNS resolution”

    821724:
    “Basic credentials may be sent over an external HTTP connection when SSL
    is required”

    822241:
    “ISA Server Web proxy service maintains a connection after a client
    session is closed”

    822970:
    “Cannot read ISA Server performance data by using an SNMP program”

    828044:
    “ISA Server intermittently stops responding to Web proxy client requests”

    829892:
    “You cannot connect to external FTP sites by using a WRQ reflection FTP
    client through ISA Server 2000”

    829893:
    “RSA SecurID cookie expires frequently, and clients are repeatedly
    prompted to authenticate”

    833009:
    “ICMP traffic is not blocked during startup period with ISA Server”

    839019:
    “White spaces in URL are not correctly encoded or decoded when you log on”

The list above represents some of the most important fixes,
but there are others as well. An extensive list of other hot fixes is included
in the release
notes
for SP2. In addition to the hot fixes, the Microsoft Security
Bulletin “Vulnerability in Microsoft Internet security and Acceleration
Server 2000 H.323 filter could allow remote code execution” (MS04-001) is also covered by ISA SP2.

You can download the English version of ISA SP2 here. For
more details on installing SP2, see Microsoft Knowledge Base article 313139.
If you experience problems, Microsoft says that ISA SP2 can be removed after
installation.

Final word

This service pack has nearly gone unnoticed. At least I
never saw any notices about it from Microsoft. Perhaps that was intentional
because Microsoft’s ISA Server 2004 is rumored to be almost ready to ship. However,
I suspect many administrators will want to install ISA 2000 SP2 before leaping
to adopt the latest version of the software, even though ISA 2004 incorporates
many of these security enhancements and undoubtedly includes many new features
as well. Nevertheless, it takes a brave administrator to bet the farm on a
brand-new security product.


Also watch for…

    ● Kurczaba Associates reports
    that ZoneAlarm Pro has a medium-level vulnerability in
    its new “mobile code” filter, but there is no known workaround yet. The problem
    is that the software fails to properly filter SSL content.

    ● There is a DoS vulnerability in all Cisco IOS systems with
    the Border Gateway Protocol (BGP) enabled. See Cisco Security
    Advisory 53021, “Cisco IOS malformed BGP packet
    causes reload,” for details. The vendor discovered this
    vulnerability.

    ● A bill that would impose heavy fines for redirecting URLs
    and spreading spyware is working its way through the U.S. Congress. CNET’s
    News.com reports
    a House subcommittee has approved the Securely Protect Yourself Against Cyber
    Trespass Act (SPYACT), H.R. 2929, which would impose fines of up to $3 million for
    annoying and privacy-invading practices such as installing keystroke loggers
    and even some pop-up ads. Of course, Microsoft is already planning to include a
    pop-up ad blocker in Windows XP Service Pack 2. But this is an election year,
    so Congress may actually do something. Whether the final bill will make a real difference
    is debatable. The last time Congress got involved in helping Internet users,
    they passed CanSPAM, and we all know that this legislation has done little to
    affect the daily spam deluge.

    ● There are rumors around the Internet water cooler that
    Network Associates (maker of McAfee solutions) is on the market, and that Microsoft
    is considering increasing its position in the antivirus world by acquiring the
    software as well as the credibility of the McAfee name. Microsoft is denying
    interest, while theinquirer.net
    is reporting that Network Associates is saying that no discussions are being
    held. Of course, nothing can kill such a deal quicker than holding a press
    conference to announce that it may take place. So the denials are being taken
    with a grain of salt, especially just a week after Symantec’s CEO told a British
    audience
    that Microsoft’s move into the antivirus arena doesn’t threaten
    other vendors because the Redmond giant lacks credibility in the security field.

    ● A Linux
    kernel flaw in the IEEE 1394 (a.k.a. Firewire or i.Link) driver opens the door
    to DoS attacks. This applies to all versions of Linux. The driver in question
    is /usr/src/linux/drivers/ieee1394/. See Bugtraq for
    details.

    ● There is a DoS vulnerability in Sun’s Solaris operating
    system (versions 7, 8, and 9). Secunia rates this as “not critical,” but you should probably
    check it out if you’re running Solaris. The problem isn’t specified, but it lies
    in the Basic Security Module (how ironic) and patches are available. This problem
    was discovered and reported by Sun.

    ● Reuters reports that MasterCard has hired NameProtect to try to block
    phishing attacks related to the credit card giant’s accounts.