Microsoft Security Bulletin MS01-021

From: Microsoft Product Security (secnotifat_private)
Date: Mon Apr 16 2001 - 07:20:48 PDT

Next message: Jeff.Samples: "ActiveSync can access a locked workstation w/o unlocking"

Previous message: Tomas Kindahl: "OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Invalid Web Request Can Cause Access Violation in ISA 
            Server Web Proxy Service
Date:       16 April 2001
Software:   ISA Server 2000
Impact:     Denial of service
Bulletin:   MS01-021

Microsoft encourages customers to review the Security Bulletin 
at: http://www.microsoft.com/technet/security/bulletin/MS01-021.asp.
- ----------------------------------------------------------------------

Issue:
======
The ISA Server Web Proxy service does not correctly handle web 
requests that contain a particular type of malformed argument. 
Processing such a request would result in an access violation, 
which would cause the Web Proxy service to fail. This would disrupt 
all ingoing and outgoing web proxy requests until the service was 
restarted. 

Mitigating Factors:
====================
 - The vulnerability could be exploited from the Internet only 
   if the Web Publishing feature were enabled. By default, 
   this feature is disabled. 
 - The vulnerability would not enable an attacker to breach the 
   security of the firewall - that is, it would not enable the 
   attacker to access protected resources or bypass the firewall. 
   It would only enable the attacker to deny legitimate service 
   to other users. 
 - The vulnerability would only allow the Web Proxy service to 
   be disrupted. Other ISA services would continue functioning 
   normally. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-021.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Dr. Richard Reiner, Graham Wiseman, Matthew Siemens, and 
   Kent Nicolson of FSC Internet Corp. / SecureXpert Labs 
  (http://www.fscinternet.com / http://www.securexpert.com) 

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL 
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS 
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT 
APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOtr/wI0ZSRQxA/UrAQHz5Af+M4dW0ZfY1DHnCCBYhPrIw19UCvcsUmnm
yLFMWfbTHCn2DyIcnG5HmHbF3X1e1yItsj+6CDDs+Msw7tKOA7LwlLMSXLg4z4K+
ZMGEFbZtxKSpTj+4Wmna0OwaQ3MO/niai9ejB11ttNNDy0E3OaC7MZ2wLZpKKRya
JYSNi8LECXSRc26egw1Tzdh4/fMDk0m9t+QXUCAg8x90jxOeVulNOt6OyjMYeqJS
esQsyZlG8+kynhg77gwLSpIujsRPgtgM4h4Xtp87aj94niavJbkt0h2hKRwiL2QC
UM6AO+GFmWpHR1rsEl3LSbQ3DIlcnqXqPufCI19CEURY0qaKqQD4kw==
=JHPx
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

Next message: Jeff.Samples: "ActiveSync can access a locked workstation w/o unlocking"
Previous message: Tomas Kindahl: "OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 12:50:13 PDT