Microsoft has released Service Pack 2 for Internet Security and Acceleration (ISA)
Server 2000. This software update definitely increases the security and
stability of ISA, and administrators who manage ISA servers need to give it a
close look.
Details
Going almost unnoticed, the release of Service Pack 2 for
ISA Server 2000 comes in English, French, Japanese, Spanish, and German. ISA
SP2 addresses the problems in the following Microsoft Knowledge Base articles:
● 313318:
“Cannot relay mail through ISA Server if authentication is required”
● 317122:
“Web proxy sends TCP reset instead of only closing session”
● 317822:
“Problems with Web browser if ISA Server 2000 is chained to an upstream
Web proxy server”
● 323889:
“Unchecked buffer in Gopher protocol handler can run code of attacker’s
choice”
● 324642:
“Macintosh clients who use MAPI cannot connect to Exchange 2000 with ISA
Server”
● 331062:
“Running ISA Server on Windows Server 2003”
● 331068:
“ISA firewall causes handle leak in LSASS”
● 331069:
“Hotfix to permit URL path redirection in Web publishing rules”
● 331070:
“Authentication does not succeed when the user name contains a space”
● 810559:
“Slow responses and failures when you use server publishing UDP protocols”
● 813864:
“Site and content rules do not filter based on file name extensions”
● 816456:
“Flaw in ISA Server error pages could allow cross-site scripting attack”
● 816828:
“‘Permission Denied’ error message when you use rlogin to log on to a
server on the Internet”
● 818821:
“ISA firewall service stops responding on DNS resolution”
● 821724:
“Basic credentials may be sent over an external HTTP connection when SSL
is required”
● 822241:
“ISA Server Web proxy service maintains a connection after a client
session is closed”
● 822970:
“Cannot read ISA Server performance data by using an SNMP program”
● 828044:
“ISA Server intermittently stops responding to Web proxy client requests”
● 829892:
“You cannot connect to external FTP sites by using a WRQ reflection FTP
client through ISA Server 2000”
● 829893:
“RSA SecurID cookie expires frequently, and clients are repeatedly
prompted to authenticate”
● 833009:
“ICMP traffic is not blocked during startup period with ISA Server”
● 839019:
“White spaces in URL are not correctly encoded or decoded when you log on”
The list above represents some of the most important fixes,
but there are others as well. An extensive list of other hot fixes is included
in the release
notes for SP2. In addition to the hot fixes, the Microsoft Security
Bulletin “Vulnerability in Microsoft Internet security and Acceleration
Server 2000 H.323 filter could allow remote code execution” (MS04-001) is also covered by ISA SP2.
You can download the English version of ISA SP2 here. For
more details on installing SP2, see Microsoft Knowledge Base article 313139.
If you experience problems, Microsoft says that ISA SP2 can be removed after
installation.
Final word
This service pack has nearly gone unnoticed. At least I
never saw any notices about it from Microsoft. Perhaps that was intentional
because Microsoft’s ISA Server 2004 is rumored to be almost ready to ship. However,
I suspect many administrators will want to install ISA 2000 SP2 before leaping
to adopt the latest version of the software, even though ISA 2004 incorporates
many of these security enhancements and undoubtedly includes many new features
as well. Nevertheless, it takes a brave administrator to bet the farm on a
brand-new security product.
Also watch for…
● Kurczaba Associates reports
that ZoneAlarm Pro has a medium-level vulnerability in
its new “mobile code” filter, but there is no known workaround yet. The problem
is that the software fails to properly filter SSL content.
● There is a DoS vulnerability in all Cisco IOS systems with
the Border Gateway Protocol (BGP) enabled. See Cisco Security
Advisory 53021, “Cisco IOS malformed BGP packet
causes reload,” for details. The vendor discovered this
vulnerability.
● A bill that would impose heavy fines for redirecting URLs
and spreading spyware is working its way through the U.S. Congress. CNET’s
News.com reports
a House subcommittee has approved the Securely Protect Yourself Against Cyber
Trespass Act (SPYACT), H.R. 2929, which would impose fines of up to $3 million for
annoying and privacy-invading practices such as installing keystroke loggers
and even some pop-up ads. Of course, Microsoft is already planning to include a
pop-up ad blocker in Windows XP Service Pack 2. But this is an election year,
so Congress may actually do something. Whether the final bill will make a real difference
is debatable. The last time Congress got involved in helping Internet users,
they passed CanSPAM, and we all know that this legislation has done little to
affect the daily spam deluge.
● There are rumors around the Internet water cooler that
Network Associates (maker of McAfee solutions) is on the market, and that Microsoft
is considering increasing its position in the antivirus world by acquiring the
software as well as the credibility of the McAfee name. Microsoft is denying
interest, while theinquirer.net
is reporting that Network Associates is saying that no discussions are being
held. Of course, nothing can kill such a deal quicker than holding a press
conference to announce that it may take place. So the denials are being taken
with a grain of salt, especially just a week after Symantec’s CEO told a British
audience that Microsoft’s move into the antivirus arena doesn’t threaten
other vendors because the Redmond giant lacks credibility in the security field.
● A Linux
kernel flaw in the IEEE 1394 (a.k.a. Firewire or i.Link) driver opens the door
to DoS attacks. This applies to all versions of Linux. The driver in question
is /usr/src/linux/drivers/ieee1394/. See Bugtraq for
details.
● There is a DoS vulnerability in Sun’s Solaris operating
system (versions 7, 8, and 9). Secunia rates this as “not critical,” but you should probably
check it out if you’re running Solaris. The problem isn’t specified, but it lies
in the Basic Security Module (how ironic) and patches are available. This problem
was discovered and reported by Sun.
● Reuters reports that MasterCard has hired NameProtect to try to block
phishing attacks related to the credit card giant’s accounts.