From secnotif@MICROSOFT.COM Mon Apr 16 13:34:49 2001 From: Microsoft Product Security To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 16 Apr 2001 07:20:48 -0700 Subject: [BUGTRAQ] Microsoft Security Bulletin MS01-021 The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Invalid Web Request Can Cause Access Violation in ISA Server Web Proxy Service Date: 16 April 2001 Software: ISA Server 2000 Impact: Denial of service Bulletin: MS01-021 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-021.asp. - ---------------------------------------------------------------------- Issue: ====== The ISA Server Web Proxy service does not correctly handle web requests that contain a particular type of malformed argument. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted. Mitigating Factors: ==================== - The vulnerability could be exploited from the Internet only if the Web Publishing feature were enabled. By default, this feature is disabled. - The vulnerability would not enable an attacker to breach the security of the firewall - that is, it would not enable the attacker to access protected resources or bypass the firewall. It would only enable the attacker to deny legitimate service to other users. - The vulnerability would only allow the Web Proxy service to be disrupted. Other ISA services would continue functioning normally. Patch Availability: =================== - A patch is available to fix this vulnerability. Please read Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-021.asp for information on obtaining this patch. Acknowledgment: =============== - Dr. Richard Reiner, Graham Wiseman, Matthew Siemens, and Kent Nicolson of FSC Internet Corp. / SecureXpert Labs (http://www.fscinternet.com / http://www.securexpert.com) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOtr/wI0ZSRQxA/UrAQHz5Af+M4dW0ZfY1DHnCCBYhPrIw19UCvcsUmnm yLFMWfbTHCn2DyIcnG5HmHbF3X1e1yItsj+6CDDs+Msw7tKOA7LwlLMSXLg4z4K+ ZMGEFbZtxKSpTj+4Wmna0OwaQ3MO/niai9ejB11ttNNDy0E3OaC7MZ2wLZpKKRya JYSNi8LECXSRc26egw1Tzdh4/fMDk0m9t+QXUCAg8x90jxOeVulNOt6OyjMYeqJS esQsyZlG8+kynhg77gwLSpIujsRPgtgM4h4Xtp87aj94niavJbkt0h2hKRwiL2QC UM6AO+GFmWpHR1rsEl3LSbQ3DIlcnqXqPufCI19CEURY0qaKqQD4kw== =JHPx -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.