Security Updates for ISA Server 2004, ISA Server 2006 and Forefront TMG (MBE)
ISA/TMG Community:
As much as I like to only announce exciting news, today, I must blog about security updates for both the ISA and TMG (MBE) product lines. It has been almost four years since the last ISA bulletin and we are very proud of our engineering due diligence and the quality of the Microsoft SDL (Security Development Lifecycle) in producing a very secure and reliable product. With that said, we also always be honest and take the high road with our customers when we find anything can be classified as an exploit or vulnerability. In this bulletin, we have packaged two separate issues together. One was found internally through a bug investigation and the other externally reported and disclosed responsibly to us. The two issues we have patched in these packages are the following:
- XSS in ISA-standard FBA (not RSA forms)
o Applies to ISA Server 2006 (RTM, Supp Updt, SP1) and TMG (MBE).
o Does not apply to ISA Server 2000 or ISA Server 2004.
This issue only affects Web listeners that use ISA-standard (not RSA) forms-based authentication.
- Limited Web listener DoS due to TCP state mishandling
o Applies to ISA Server 2004 SP3, ISA Server 2006 (RTM, Supportability Update, SP1) and TMG (MBE).
o Does not apply to ISA Server 2000
This issue is caused by a remote host abusing TCP state before sending data.
You can find the links to the actual bulletin and the Knowledge Base articles at the following locations:
- MSRC bulletin MS09-016 http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx;
- MSRC article for MS09-016 http://support.microsoft.com/kb/961759
- Package for ISA 2004 http://support.microsoft.com/kb/960995
- DoS fix KB (same as package KB)
- Package for ISA 2006 http://support.microsoft.com/kb/968078
- XSS fix KB http://support.microsoft.com/kb/968077
- DoS fix KB http://support.microsoft.com/kb/958951
- Package for TMG (MBE) http://support.microsoft.com/kb/968075
- XSS fix KB http://support.microsoft.com/kb/968076
- DoS fix KB http://support.microsoft.com/kb/961831
Download links:
- Forefront TMG (MBE): http://www.microsoft.com/downloads/details.aspx?FamilyID=6abf9fb4-42d0-4c67-935f-8dc67850148b
- ISA Server 2004 Standard Edition: http://www.microsoft.com/downloads/details.aspx?FamilyID=adf623fa-2d74-4f2a-9835-4b8debdb0e1b
- ISA Server 2004 Enterprise Edition: http://www.microsoft.com/downloads/details.aspx?FamilyID=d1d55ab6-3de5-4811-9693-8d43f49f5fe8
- ISA Server 2006 All Editions: http://www.microsoft.com/downloads/details.aspx?FamilyID=eda30bcc-0582-4f60-a4c5-ea5000b7c770
Notes:
1. Because the firewall driver is being replaced, these packages require a reboot on ISA or TMG servers that are operating in proxy or firewall roles.
2. The TMG package will install on a remote management server (such as the EBS Management role), but will not update any files (they’re not used anyway).
3. TMG MBE requires the user to completely remove and reinstall the product in order to change from / to management-only, so the patch must be reapplied if the user makes this change.
4. The ISA packages will install on management-only servers and will update the files
5. Changing ISA Server 2004 or ISA Server 2006 from management to firewall or proxy mode will not revert the updated files to the originally-installed versions
6. Because the packages are different for ISA 2006 RTM, Supportability Update and SP1, the appropriate update must be applied if ISA 2006 is updated to the minor revision (RTM, SU, SP1).
7. These updates will be included in any hotfix or update package that follows these updates
David B. Cross
Product Unit Manager
Comments
Anonymous
January 01, 2003
News Security The Challenge of Information Security Management, Part 1 http://co1piltwb.partners.extranet.microsoft.com/mcoeredir/mcoeredirect.aspx?linkId=11740336&s1=68628015-2ccc-cbc7-31b9-0e76c3415474Anonymous
January 01, 2003
Wie bereits am Wochenende vorangekündigt, gab es gestern zum April-Patchday auch Updates für ISA undAnonymous
January 01, 2003
PLease read http://blogs.technet.com/isablog/archive/2009/04/18/ms09-012-and-isa-server-standard-edition-14109-failures.aspx that describes a workaround for the restart failures with a 14109 event id. Jim Harrison Program Manager, Forefront Edge CSAnonymous
January 01, 2003
Mikhail, If you installed this patch while connected over RDP through an Enterprise- or Array-level access rule, this is expected. Only system policies remain active when the firewall services is stopped and this patch stops the ISA services so that it can replace the files.Anonymous
January 01, 2003
after this update service "Microsoft ISA Server Control" doesn't start... details: http://social.technet.microsoft.com/Forums/en-US/Forefrontedgesetup/thread/2a137cdd-1151-4c2a-a026-6613dd4d13b2Anonymous
January 01, 2003
Mikhail, Please see the discussion in the Forum thread linked by Artem. Jim Harrison Program Manager, Forefront Edge CSAnonymous
January 01, 2003
After applying patch service "Microsoft Firewall" don't start automatically. You must restart your server, or start this service manually. Don't apply this patch on remote isa server - you may lost control of server over network!