Security Updates for ISA Server 2004, ISA Server 2006 and Forefront TMG (MBE)

ISA/TMG Community:


As much as I like to only announce exciting news, today, I must blog about security updates for both the ISA and TMG (MBE) product lines.  It has been almost four years since the last ISA bulletin and we are very proud of our engineering due diligence and the quality of the Microsoft SDL (Security Development Lifecycle) in producing a very secure and reliable product.  With that said, we also always be honest and take the high road with our customers when we find anything can be classified as an exploit or vulnerability.  In this bulletin, we have packaged two separate issues together.  One was found internally through a bug investigation and the other externally reported and disclosed responsibly to us.  The two issues we have patched in these packages are the following:


-          XSS in ISA-standard FBA (not RSA forms)

o   Applies to ISA Server 2006 (RTM, Supp Updt, SP1) and TMG (MBE).

o   Does not apply to ISA Server 2000 or ISA Server 2004.

This issue only affects Web listeners that use ISA-standard (not RSA) forms-based authentication.


-          Limited Web listener DoS due to TCP state mishandling

o   Applies to ISA Server 2004 SP3, ISA Server 2006 (RTM, Supportability Update, SP1) and TMG (MBE).

o   Does not apply to ISA Server 2000

This issue is caused by a remote host abusing TCP state before sending data.


You can find the links to the actual bulletin and the Knowledge Base articles at the following locations: 





Download links:



1.       Because the firewall driver is being replaced, these packages require a reboot on ISA or TMG servers that are operating in proxy or firewall roles.

2.       The TMG package will install on a remote management server (such as the EBS Management role), but will not update any files (they’re not used anyway).

3.       TMG MBE requires the user to completely remove and reinstall the product in order to change from / to management-only, so the patch must be reapplied if the user makes this change.

4.       The ISA packages will install on management-only servers and will update the files

5.       Changing ISA Server 2004 or ISA Server 2006 from management to firewall or proxy mode will not revert the updated files to the originally-installed versions

6.       Because the packages are different for ISA 2006 RTM, Supportability Update and SP1, the appropriate update must be applied if ISA 2006 is updated to the minor revision (RTM, SU, SP1).

7.       These updates will be included in any hotfix or update package that follows these updates





David B. Cross

Product Unit Manager

Comments (7)

Cancel reply

  1. Anonymous says:

    Wie bereits am Wochenende vorangekündigt, gab es gestern zum April-Patchday auch Updates für ISA und

  2. PLease read that describes a workaround for the restart failures with a 14109 event id.

    Jim Harrison

    Program Manager, Forefront Edge CS

  3. Mikhail,

    If you installed this patch while connected over RDP through an Enterprise- or Array-level access rule, this is expected. Only system policies remain active when the firewall services is stopped and this patch stops the ISA services so that it can replace the files.

  4. Anonymous says:

    after this update service "Microsoft ISA Server Control" doesn’t start…


  5. Mikhail,

    Please see the discussion in the Forum thread linked by Artem.

    Jim Harrison

    Program Manager, Forefront Edge CS

  6. mikas says:

    After applying patch service "Microsoft Firewall" don’t start automatically. You must restart your server, or start this service manually.

    Don’t apply this patch on remote isa server – you may lost control of server  over network!

Skip to main content