ISA, Outlook Get Fixes
Microsoft Corp. Thursday night released a consolidated patch to fix three problems in its Internet Security and Acceleration (ISA) Server 2000 product. In a separate move, Microsoft released a fix to repair a vulnerability in Outlook 98, Outlook 2000 and Outlook 2002 that it first acknowledged in early July.
In an e-mail bulletin, which it dispatched to the subscribers of its Security mailing list, Microsoft confirmed the presence of three separate ISA vulnerabilities that attackers can exploit to perpetrate denial-of-service (DoS) or cross-site scripting attacks.
Possible attack scenarios are as follows:
An attacker could exploit a memory leak in Microsoft’s implementation of the H.323 Gatekeeper Service to perpetrate a DoS attack. H.323 Gatekeeper is an ITU standard which supports the transmission of real-time, interactive voice-over-IP traffic on corporate LANs, through firewalls and over the Internet.
Microsoft says that the ISA memory leak is triggered by a particular type of malformed H.323 data. The software giant acknowledges that an attacker can incrementally deplete the resources of a server by repeatedly sending the same malformed H.323 data.
In a now-familiar scenario, Microsoft confirms that it’s possible to so deplete the resources of a Windows 2000 server that other services and applications which reside on the same system could be affected, as well. In a worst case scenario, an attacked server could stop responding altogether.
According to Microsoft, the vulnerability only affects ISA servers that have the H.323 service installed and enabled. The software giant says that H.323 is *not* enabled by default when ISA is installed with its “Typical” configuration options. H.323 *is* installed when administrators perform “Full” installations of ISA, however.
An attacker could exploit a memory leak in ISA’s Proxy service to perpetrate a DoS attack with consequences similar to those described in the scenario above.
Microsoft says that only users on a LAN can exploit the ISA Proxy service vulnerability, however. It’s not possible for an attacker to exploit this vulnerability over the Internet.
An attacker could exploit a cross-site scripting vulnerability to trick a user into submitting a malformed URL to the ISA Server. Microsoft says that a malformed URL of this type would reference a valid web site; would request a page on the site that can’t be retrieved (a non-existent page that generates an error); and would contain script within the URL.
The error page that ISA Server returns in response to a malformed submission of this kind contains the malicious script commands that were embedded in the original URL. According to Microsoft, these script commands would execute when the page was displayed in a targeted user’s browser. The software giant says that the script would run in the security domain of the web site referenced in the URL and would also be able to access any cookies which the site has written to the user’s machine.
Microsoft says that exploiting the ISA cross-site scripting vulnerability would amount to a “daunting challenge” because an attacker would have to know which Web sites a targeted user’s Web browser is configured to trust. On the other hand, the software giant allows, it’s possible that an attacker could include a link to an unavailable Web site that she believes an ISA user has reason to trust.
Finally, Microsoft released a long-awaited patch to fix a vulnerability associated with an ActiveX control – dubbed Outlook View Control (OVW) – which Outlook 98, Outlook 2000 and Outlook 2002 leverage as a means to allow mail folders to be viewed as Web pages.
An attacker could exploit this vulnerability by luring an unsuspecting user to a Web page that contains script or HTML which invokes OVW whenever a page is opened in Internet Explorer. She could then take almost any action on an affected user’s machine, including deleting e-mails or executing arbitrary code.
Microsoft initially suggested an administrative work-around for Outlook clients that were affected by this vulnerability, and the software giant says that it is only providing patches for Outlook 2000 and Outlook 2002. Microsoft confirms that no patch is planned for Outlook 98 because it’s no longer supported.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.