RealTime IT News

Microsoft Patches ISA Server Denial-of-Service Bug

Members of the security advisory group SecureXpert Direct this week isolated a bug in Microsoft Corp.'s ISA Web server 2000 that would render the Web server victim to denial-of-service (DoS) attacks.

Simply, the ISA Server Web Proxy service will not be able to handle a certain type of Web request if it exceeds a particular length. Processing such a request would result in an access violation, which would cause the Web proxy service to fail. This would disrupt all ingoing and outgoing Web proxy requests until the service was restarted.

Triggering the DoS is not guaranteed by any means, according to the Microsoft Security Advisory bulletin. A malicious perpetrator would have to persuade an unsuspecting user to log on to a Web page or open an HTML e-mail, and then embed a URL that could exploit the hole within the network. This is because the ISA server, launched last February by the software giant, is geared to ignore requests unless the Web publishing feature is on.

So, on the external side, it is no sure shot for a would-be hacker. But internally, the perp inside the firewall could exploit the vulnerability under any conditions. Still, the hole would not allow the attacker to harness any administrative control over the firewall. There is also a limit to the potential exploitation of the flaw because it only allows the Web proxy service to be disrupted; the proxy service could be restored by restarting it.

How serious is the threat to the network? It's contingent on the Web publishing feature, as previously stated. Unless it is enabled, there is nothing to fear. And the denial of service will stagnate all Web traffic.

Upon being notified by members of the SecureXpert Direct team (Dr. Richard Reiner, Graham Wiseman, Matthew Siemens, and Kent Nicolson of FSC Internet Corp./SecureXpert Labs), Microsoft created a patch that may be obtained here.

That security for the ISA server may be threatened is not a surprise to some people, as it was billed with the "ease-of-use" interests of the .NET software-as-a-service initiative in mind. One security expert, Wayne Pierce, director of service development for Cambridge, Mass.-based Athena Security Inc., expressed concern upon the software's release on February 14.

Pierce said that while Microsoft's beta testers and sources seem to be pleased with the ISA product, he said how easy it is to use may actually be a reason for concern.

"They look like they've adapted it from their proxy server, which is fine," Pierce said. "They're pitching it as it's the Windows interface and that it's nice and easy to use. But it could also be easy for whoever is setting it up to make mistakes because people don't always know about default settings. You could put it up and protection could still be there, but if you leave the default settings, the passwords might be accessible."

Along those lines, Pierce said integration is also a concern. Too many items, such as using Word to create a rule base, or Internet Explorer to use the logs, may make ISA more susceptible to attack.

"It's a question of how tightly they are going to integrate it; how easy will it be for [IT people] to shoot themselves in the foot," Pierce said.

Microsoft, like many software companies, is no stranger to security concerns. Less than three weeks ago in March, the company reported that a hole had been detected in its Internet Explorer browser in which a hacker could allow a malicious page or e-mail to perform any action on a computer. Just a day before that, the firm announced a patch for digital certificate holes a week after it had been reported that VeriSign erroneously issued two Class 3 code-signing certificates to a person posing as a Microsoft employee. Both certificates were assigned to "Microsoft Corporation," and had the ability to sign executable content using keys that claim to belong to Microsoft.

One security expert recently said that Microsoft's bearing the brunt of a little nagging public relations snafu in announcing the holes as they are presented is minor compared to the headache the company could face if it ignored them altogether.

Dan McCall, executive vice president and co-founder of security consulting firm Guardent Inc., told InternetNews.com that Microsoft's proactive approach in isolating, testing and expounding on the vulnerabilities is refreshing in a day and age when other software vendors (of course, he would not say which) choose to ignore flaws and hope they'll go away.

"The interesting thing about this from our perspective," said McCall, who has worked with the software company often, "is that Microsoft is no more susceptible to coding errors than any other software vendor. Their products have millions of lines of code and sometimes the coding process is improper. In fact, in some ways they are less susceptible because what they choose to do is make it public as soon as possible and come up with a patch to nip it in the bud."

McCall said he has known Microsoft to design patches for holes within a couple of hours of detecting a fissure. He also said no software maker is immune from such cracks.

"From the coding standpoint, you will always find problems," McCall said. "There are just too many coding lines in software applications. I mean, you can take secure product A and combine it worth secure product B and the combination of the two software packages creates their own set of problems."

McCall also suggested that comprehensive media coverage about Microsoft's so-called security foibles works to the company's advantage as it shows that the company is willing to meet the issues head on.