I would like to clarify some points for you regarding the security advisory that was released on 13 July. Microsoft Security Advisory 937432 provides information about a vulnerability in Office Web Components (OWC) and links to a mechanism to help mitigate this vulnerability. As many customers have noticed, ISA Server 2004 and ISA Server 2006 were included in the “Applies to” product list. I’d like to take this opportunity discuss the relevance of this vulnerability and mitigation strategy for ISA Server and Forefront TMG deployments.
What OWC does for ISA Server and Forefront TMG
ISA Server makes direct use of OWC during report generation to create the charts and graphs that appear in the traffic reports. Forefront TMG makes indirect use of OWC through SQL Reporting Services (SRS) for the same purpose. Two facts help minimize the threat posed by this vulnerability to ISA Server deployments:
1. ISA report generation does not use the vulnerable OWC code path, so ISA reports cannot be impacted by this vulnerability
2. OWC creates the charts and graphs as static .gif files during ISA report generation, so OWC are not called at all when ISA reports are viewed in the browser
Affected Forefront Edge Products
· ISA Server 2004 Standard and Enterprise Editions
· ISA Server 2006 Standard and Enterprise Editions
Non-Affected Forefront Edge Products
· ISA Server 2000
· Forefront TMG
Product Relevance to this OWC Advisory
Some of you may have noticed that although ISA 2000, 2004, 2006 and TMG all use OWC to produce the reports, only ISA Server 2004 and ISA Server 2006 are listed as affected products. This is done for two reasons:
1. ISA Server 2000: the action taken for ISA Server 2000 with regard to the current OWC vulnerability is to set the killbits exactly as performed in the advisory tool mitigation application. The previous OWC security update performed this action on ISA Server 2000, so assuming you’ve updated your ISA 2000 deployments by now, ISA Server 2000 is not considered vulnerable. When the ISA Server installer packages adds OWC, it performs this without using the OWC installer MSI package, so OWC is not detectable by Microsoft Update Office detection.
2. Forefront TMG: OWC is installed and used as a component of SRS. The TMG installation process installs SRS, which installs OWC using the Office installer package. This process allows Microsoft Update mechanisms to detect OWC as an Office component and can properly decide which Office updates need to be applied to that host.
Mitigation Effects on ISA Server
Using the mitigation tools provided in the advisory do not adversely impact ISA Server report generation nor do they affect the accuracy or relevance of the report data. There may be other side effects when using other applications that call on OWC separately from ISA or TMG reports, but because no one uses their firewall as a workstation, side effects of this mitigation should pose no problems for ISA or TMG administrators.
The threat posed by this vulnerability is discussed in detail in the linked articles. Under normal circumstances, ISA Server itself and the report generation mechanisms are not vulnerable to attack through this vulnerability.
David B. Cross
Product Unit Manager