Microsoft Patches ISA Server Denial-of-Service Bug

Members of the security advisory group SecureXpert Direct this week isolated
a bug in Microsoft Corp.’s ISA Web server 2000 that would render the Web server
victim to denial-of-service (DoS) attacks.

Simply, the ISA Server Web Proxy service will not be able to handle a
certain type of Web request if it exceeds a particular length. Processing
such a request would result in an access violation, which would cause the
Web proxy service to fail.
This would disrupt all ingoing and outgoing Web proxy requests until the
service was restarted.

Triggering the DoS is not guaranteed by any means, according to the
Microsoft Security Advisory bulletin. A malicious perpetrator would have to persuade an unsuspecting user
to log on to a Web page or open an HTML e-mail, and then embed a URL that
could exploit the hole within the network. This is because the ISA server,
launched last February by the software giant, is geared to ignore
requests unless the Web publishing feature is on.

So, on the external side, it is no sure shot for a would-be hacker. But
internally, the perp inside the firewall could exploit the vulnerability
under any conditions. Still, the hole would not allow the attacker to
harness any administrative control over the firewall. There is also a limit
to the potential exploitation of the flaw because it only allows the Web
proxy service to be disrupted; the proxy service could be restored by
restarting it.

How serious is the threat to the network? It’s contingent on the Web
publishing feature, as previously stated. Unless it is enabled, there is
nothing to fear. And the denial of service will stagnate all Web traffic.

Upon being notified by members of the SecureXpert Direct team (Dr. Richard
Reiner, Graham Wiseman, Matthew Siemens, and
Kent Nicolson of FSC Internet Corp./SecureXpert Labs), Microsoft created a
patch that may be obtained here.

That security for the ISA server may be threatened is not a surprise to some
people, as it was billed with the “ease-of-use” interests of the .NET
software-as-a-service initiative in mind. One security expert, Wayne Pierce,
director of service development for Cambridge, Mass.-based Athena Security
Inc., expressed concern upon the software’s release on February 14.

Pierce said that while Microsoft’s beta testers and sources seem to be
pleased with the ISA product, he said how easy it is to use may actually be
a reason for concern.

“They look like they’ve adapted it from their proxy server, which is fine,”
Pierce said. “They’re pitching it as it’s the Windows interface and that
it’s nice and easy to use. But it could also be easy for whoever is setting
it up to make mistakes because people don’t always know about default
settings. You could put it up and protection could still be there, but if
you leave the default settings, the passwords might be accessible.”

Along those lines, Pierce said integration is also a concern. Too many
items, such as using Word to create a rule base, or Internet Explorer to use
the logs, may make ISA more susceptible to attack.

“It’s a question of how tightly they are going to integrate it; how easy
will it be for [IT people] to shoot themselves in the foot,” Pierce said.

Microsoft, like many software companies, is no stranger to security
concerns. Less than three weeks ago in March, the company reported that a
hole had been detected in its Internet Explorer browser in which a hacker
could allow a malicious page or e-mail to perform any action on a computer.
Just a day before that, the firm announced a patch for digital certificate holes a week after it had been reported that VeriSign erroneously issued two Class 3 code-signing certificates to a
person posing as a Microsoft employee. Both certificates were assigned to
“Microsoft Corporation,” and had the ability to sign executable content
using keys that claim to belong to Microsoft.

One security expert recently said that Microsoft’s bearing the brunt of a
little nagging public relations snafu in announcing the holes as they are
presented is minor compared to the headache the company could face if it
ignored them altogether.

Dan McCall, executive vice president and co-founder of security consulting
firm Guardent Inc., told that Microsoft’s proactive
approach in isolating, testing and expounding on the vulnerabilities is
refreshing in a day and age when other software vendors (of course, he would
not say which) choose to ignore flaws and hope they’ll go away.

“The interesting thing about this from our perspective,” said McCall, who
has worked with the software company often, “is that Microsoft is no more
susceptible to coding errors than any other software vendor. Their
products have millions of lines of code and sometimes the coding process is
improper. In fact, in some ways they are less susceptible because what they
choose to do is make it public as soon as possible and come up with a patch
to nip it in the bud.”

McCall said he has known Microsoft to design patches for holes within a
couple of hours of detecting a fissure. He also said no software maker is
immune from such cracks.

“From the coding standpoint, you will always find problems,” McCall said.
“There are just too many coding lines in software applications. I mean, you
can take secure product A and combine it worth secure product B and the
combination of the two software packages creates their own set of problems.”

McCall also suggested that comprehensive media coverage about Microsoft’s
so-called security foibles works to the company’s
advantage as it shows that the company is willing to meet the issues head

News Around the Web