Security Updates for ISA Server 2004, ISA Server 2006 and Forefront TMG (MBE)

ISA/TMG Community:

As much as I like to only announce exciting news, today, I must blog about security updates for both the ISA and TMG (MBE) product lines. It has been almost four years since the last ISA bulletin and we are very proud of our engineering due diligence and the quality of the Microsoft SDL (Security Development Lifecycle) in producing a very secure and reliable product. With that said, we also always be honest and take the high road with our customers when we find anything can be classified as an exploit or vulnerability. In this bulletin, we have packaged two separate issues together. One was found internally through a bug investigation and the other externally reported and disclosed responsibly to us. The two issues we have patched in these packages are the following:

- XSS in ISA-standard FBA (not RSA forms)

o Applies to ISA Server 2006 (RTM, Supp Updt, SP1) and TMG (MBE).

o Does not apply to ISA Server 2000 or ISA Server 2004.

This issue only affects Web listeners that use ISA-standard (not RSA) forms-based authentication.

- Limited Web listener DoS due to TCP state mishandling

o Applies to ISA Server 2004 SP3, ISA Server 2006 (RTM, Supportability Update, SP1) and TMG (MBE).

o Does not apply to ISA Server 2000

This issue is caused by a remote host abusing TCP state before sending data.

You can find the links to the actual bulletin and the Knowledge Base articles at the following locations:

• MSRC bulletin MS09-016 http://www.microsoft.com/technet/security/bulletin/ms09-016.mspx;
• MSRC article for MS09-016 http://support.microsoft.com/kb/961759 

• Package for ISA 2004 http://support.microsoft.com/kb/960995
  • DoS fix KB (same as package KB)

• Package for ISA 2006 http://support.microsoft.com/kb/968078
  • XSS fix KB http://support.microsoft.com/kb/968077
  • DoS fix KB http://support.microsoft.com/kb/958951

• Package for TMG (MBE) http://support.microsoft.com/kb/968075
  • XSS fix KB http://support.microsoft.com/kb/968076
  • DoS fix KB http://support.microsoft.com/kb/961831

Download links:

• Forefront TMG (MBE): http://www.microsoft.com/downloads/details.aspx?FamilyID=6abf9fb4-42d0-4c67-935f-8dc67850148b
• ISA Server 2004 Standard Edition: http://www.microsoft.com/downloads/details.aspx?FamilyID=adf623fa-2d74-4f2a-9835-4b8debdb0e1b
• ISA Server 2004 Enterprise Edition: http://www.microsoft.com/downloads/details.aspx?FamilyID=d1d55ab6-3de5-4811-9693-8d43f49f5fe8
• ISA Server 2006 All Editions: http://www.microsoft.com/downloads/details.aspx?FamilyID=eda30bcc-0582-4f60-a4c5-ea5000b7c770

Notes:

1. Because the firewall driver is being replaced, these packages require a reboot on ISA or TMG servers that are operating in proxy or firewall roles.

2. The TMG package will install on a remote management server (such as the EBS Management role), but will not update any files (they’re not used anyway).

3. TMG MBE requires the user to completely remove and reinstall the product in order to change from / to management-only, so the patch must be reapplied if the user makes this change.

4. The ISA packages will install on management-only servers and will update the files

5. Changing ISA Server 2004 or ISA Server 2006 from management to firewall or proxy mode will not revert the updated files to the originally-installed versions

6. Because the packages are different for ISA 2006 RTM, Supportability Update and SP1, the appropriate update must be applied if ISA 2006 is updated to the minor revision (RTM, SU, SP1).

7. These updates will be included in any hotfix or update package that follows these updates

David B. Cross

Product Unit Manager