On Friday Microsoft reported that one of its security products, ISA (internet security and acceleration) Server 2000, has three different security holes that could lead to denial of service attacks. Microsoft has issued a patch to fix all three vulnerabilities.
MS warns of flaws in ISA Server, issues patches
The flaws are unrelated and affect ISA Server's VoIP (voice over internet protocol) capabilities, its Proxy service and ISA's error page generation.
More information about the vulnerabilities, as well as the patch to fix them, is located here.
The first vulnerability concerns a memory leak in the H.323 Gatekeeper service, which allows VoIP traffic through a firewall. Each time malformed data is sent to this service, a small amount of the server's memory is depleted, Microsoft said. If such requests are sent frequently enough, the server would be slowed down to the point of disrupting normal use.
This problem is mitigated, however, in that the server can only be attacked if the H.323 Gatekeeper component is installed, something that only happens when a user chooses a full installation, or to install everything on the software CD related to the application.
The second problem ISA Server faces is a denial of service problem in the software's Proxy service. This flaw, like the first, is also a memory leak that can cause a slowing of the server and lead to denial of service to legitimate users. This hole is made less serious because it can only be exploited by an internal user, Microsoft said.
Lastly, a complicated vulnerability in the way ISA Server handles error messages regarding irretrievable web pages can allow an attacker to execute code and gain access to cookies on both the server and user machines.
The flaw could be exploited if an attacker were able to trick a user into requesting a web page that did not reside on a server. The false URL (uniform resource locator) would also have to contain code.
This vulnerability is limited in that the attacker would have to know which sites a user trusted, which sites had placed cookies on the user's computer and that the user had specific security settings that would allow the attack.