ISA 2000 Security Bulletin MS05-034


Today, we released an update for ISA Server 2000 that addresses two privately disclosed security vulnerabilities, rated Moderate at the time of writing.


The two vulnerabilities are referred to as the HTTP Content Header Vulnerability - CAN-2005-1215, and the NetBIOS Predefined Filter Vulnerability - CAN-2005-1216. 


 


Summary


Who should read this document: Customers who use Microsoft Internet Security and Acceleration (ISA) Server 2000


Impact of Vulnerability: Elevation of Privilege


Maximum Severity Rating: Moderate


Recommendation: Customers should consider applying the security update.


Security Update Replacement: None


Caveats: None


Tested Software and Security Update Download Locations:


Affected Software:


• Microsoft Internet Security and Acceleration (ISA) Server 2000 Service Pack 2 – Download the update


Note The following software programs include ISA Server 2000. Customers who use these software programs should install the provided ISA Server 2000 security update.


• Microsoft Small Business Server 2000
 
• Microsoft Small Business Server 2003 Premium Edition
 
Non-Affected Software:


• Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition
 
• Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition
 


http://www.microsoft.com/technet/security/bulletin/MS05-034.mspx


 

Comments (2)

  1. susan says:

    Remember that this SBS 2003 thing is ONLY if you have yet to install SP1/ISA 2004.

    So if you are on SBS 2003 sp1 with added magical ISA 2004 you need no patch.

    To Tristan?
    http://msmvps.com/bradley/archive/2005/06/13/52729.aspx#52980 that’s an actual page from the 2004 [only] book [remind me to load ISA 2004 at home so I can
    play and not worry about blowing up the ISA at the office]

  2. Tristan K says:

    Hi Susan – yep, the rule’s fine – Tom’s comment on protocol defs doesn’t jive with my experience for 2004.

    For example:

    In ISA 2000, I needed to create a separate protocol definition for each outbound port I wanted to use, because SecureNAT clients can only use defined protocols.

    In ISA 2004, I just use All Outbound Traffic for my client workstation, and it works with *everything* I throw at it (er, everything I regularly use, which is typically games, not complex protocols requiring multiple inbound connections) – but you get the idea!

    Blogged about this a little here:

    http://blogs.technet.com/tristank/archive/2005/02/04/366680.aspx

    Cheers!

Skip to main content