We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

DoS flaws in Microsoft ISA Server

MS warns of flaws in ISA Server, issues patches

On Friday Microsoft reported that one of its security products, ISA (internet security and acceleration) Server 2000, has three different security holes that could lead to denial of service attacks. Microsoft has issued a patch to fix all three vulnerabilities.

The flaws are unrelated and affect ISA Server's VoIP (voice over internet protocol) capabilities, its Proxy service and ISA's error page generation.

More information about the vulnerabilities, as well as the patch to fix them, is located here.

The first vulnerability concerns a memory leak in the H.323 Gatekeeper service, which allows VoIP traffic through a firewall. Each time malformed data is sent to this service, a small amount of the server's memory is depleted, Microsoft said. If such requests are sent frequently enough, the server would be slowed down to the point of disrupting normal use.

This problem is mitigated, however, in that the server can only be attacked if the H.323 Gatekeeper component is installed, something that only happens when a user chooses a full installation, or to install everything on the software CD related to the application.

The second problem ISA Server faces is a denial of service problem in the software's Proxy service. This flaw, like the first, is also a memory leak that can cause a slowing of the server and lead to denial of service to legitimate users. This hole is made less serious because it can only be exploited by an internal user, Microsoft said.

Lastly, a complicated vulnerability in the way ISA Server handles error messages regarding irretrievable web pages can allow an attacker to execute code and gain access to cookies on both the server and user machines.

The flaw could be exploited if an attacker were able to trick a user into requesting a web page that did not reside on a server. The false URL (uniform resource locator) would also have to contain code.

This vulnerability is limited in that the attacker would have to know which sites a user trusted, which sites had placed cookies on the user's computer and that the user had specific security settings that would allow the attack.


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Best Photoshop Tutorials 2014: 10 inspiring step-by-step guides to creating amazing art,...

IDG UK Sites

Apple TV expert tips: get US Apple TV content, watch Google Play, use multiple Apple IDs and more