Takeaway: Get the details on Service Pack 2 for Microsoft’s Internet Security and Acceleration (ISA) Server 2000.
Microsoft has released Service Pack 2 for Internet Security and Acceleration (ISA) Server 2000. This software update definitely increases the security and stability of ISA, and administrators who manage ISA servers need to give it a close look.
Going almost unnoticed, the release of Service Pack 2 for ISA Server 2000 comes in English, French, Japanese, Spanish, and German. ISA SP2 addresses the problems in the following Microsoft Knowledge Base articles:
● 313318: “Cannot relay mail through ISA Server if authentication is required”
● 317122: “Web proxy sends TCP reset instead of only closing session”
● 317822: “Problems with Web browser if ISA Server 2000 is chained to an upstream Web proxy server”
● 323889: “Unchecked buffer in Gopher protocol handler can run code of attacker’s choice”
● 324642: “Macintosh clients who use MAPI cannot connect to Exchange 2000 with ISA Server”
● 331062: “Running ISA Server on Windows Server 2003″
● 331068: “ISA firewall causes handle leak in LSASS”
● 331069: “Hotfix to permit URL path redirection in Web publishing rules”
● 331070: “Authentication does not succeed when the user name contains a space”
● 810559: “Slow responses and failures when you use server publishing UDP protocols”
● 813864: “Site and content rules do not filter based on file name extensions”
● 816456: “Flaw in ISA Server error pages could allow cross-site scripting attack”
● 816828: “‘Permission Denied’ error message when you use rlogin to log on to a server on the Internet”
● 818821: “ISA firewall service stops responding on DNS resolution”
● 821724: “Basic credentials may be sent over an external HTTP connection when SSL is required”
● 822241: “ISA Server Web proxy service maintains a connection after a client session is closed”
● 822970: “Cannot read ISA Server performance data by using an SNMP program”
● 828044: “ISA Server intermittently stops responding to Web proxy client requests”
● 829892: “You cannot connect to external FTP sites by using a WRQ reflection FTP client through ISA Server 2000″
● 829893: “RSA SecurID cookie expires frequently, and clients are repeatedly prompted to authenticate”
● 833009: “ICMP traffic is not blocked during startup period with ISA Server”
● 839019: “White spaces in URL are not correctly encoded or decoded when you log on”
The list above represents some of the most important fixes, but there are others as well. An extensive list of other hot fixes is included in the release notes for SP2. In addition to the hot fixes, the Microsoft Security Bulletin “Vulnerability in Microsoft Internet security and Acceleration Server 2000 H.323 filter could allow remote code execution” (MS04-001) is also covered by ISA SP2.
You can download the English version of ISA SP2 here. For more details on installing SP2, see Microsoft Knowledge Base article 313139. If you experience problems, Microsoft says that ISA SP2 can be removed after installation.
This service pack has nearly gone unnoticed. At least I never saw any notices about it from Microsoft. Perhaps that was intentional because Microsoft’s ISA Server 2004 is rumored to be almost ready to ship. However, I suspect many administrators will want to install ISA 2000 SP2 before leaping to adopt the latest version of the software, even though ISA 2004 incorporates many of these security enhancements and undoubtedly includes many new features as well. Nevertheless, it takes a brave administrator to bet the farm on a brand-new security product.
Also watch for…
● Kurczaba Associates reports that ZoneAlarm Pro has a medium-level vulnerability in its new “mobile code” filter, but there is no known workaround yet. The problem is that the software fails to properly filter SSL content.
● There is a DoS vulnerability in all Cisco IOS systems with the Border Gateway Protocol (BGP) enabled. See Cisco Security Advisory 53021, “Cisco IOS malformed BGP packet causes reload,” for details. The vendor discovered this vulnerability.
● A bill that would impose heavy fines for redirecting URLs and spreading spyware is working its way through the U.S. Congress. CNET’s News.com reports a House subcommittee has approved the Securely Protect Yourself Against Cyber Trespass Act (SPYACT), H.R. 2929, which would impose fines of up to $3 million for annoying and privacy-invading practices such as installing keystroke loggers and even some pop-up ads. Of course, Microsoft is already planning to include a pop-up ad blocker in Windows XP Service Pack 2. But this is an election year, so Congress may actually do something. Whether the final bill will make a real difference is debatable. The last time Congress got involved in helping Internet users, they passed CanSPAM, and we all know that this legislation has done little to affect the daily spam deluge.
● There are rumors around the Internet water cooler that Network Associates (maker of McAfee solutions) is on the market, and that Microsoft is considering increasing its position in the antivirus world by acquiring the software as well as the credibility of the McAfee name. Microsoft is denying interest, while theinquirer.net is reporting that Network Associates is saying that no discussions are being held. Of course, nothing can kill such a deal quicker than holding a press conference to announce that it may take place. So the denials are being taken with a grain of salt, especially just a week after Symantec’s CEO told a British audience that Microsoft’s move into the antivirus arena doesn’t threaten other vendors because the Redmond giant lacks credibility in the security field.
● A Linux kernel flaw in the IEEE 1394 (a.k.a. Firewire or i.Link) driver opens the door to DoS attacks. This applies to all versions of Linux. The driver in question is /usr/src/linux/drivers/ieee1394/. See Bugtraq for details.
● There is a DoS vulnerability in Sun’s Solaris operating system (versions 7, 8, and 9). Secunia rates this as “not critical,” but you should probably check it out if you’re running Solaris. The problem isn’t specified, but it lies in the Basic Security Module (how ironic) and patches are available. This problem was discovered and reported by Sun.
● Reuters reports that MasterCard has hired NameProtect to try to block phishing attacks related to the credit card giant’s accounts.