Add as a preferred source on Google


ISA Server Is Only Half Patched

  • By Jabulani Leffall
  • 07/21/09

Microsoft's clarification of an Internet Security and Acceleration (ISA) Server patch released this month has left at least one security expert stumped.

The heart of the matter involves security advisory (973472), which was released on Monday of last week. Bulletin 973472 describes possible vulnerabilities affecting Redmond's ISA Server, specifically an ActiveX bug associated with Office Web Components (OWC). That security advisory should not to be confused with the ISA Server fix associated with a Radius One Time password setting that was addressed in the July security patch released on Tuesday.

The important part seems to be how OWC is used in ISA Server, according to David B. Cross, a product unit manager at Microsoft's Server Products Division.

"As many customers have noticed, ISA Server 2004 and ISA Server 2006 were included [in the security advisory] on the 'Applies to' product list," Cross said in a Forefront team blog, while noting that ISA Server 2000 and Forefront Threat Management Gateway aren't included. Cross goes on to say that the OWC vulnerability affecting ISA Server can be mitigated as "ISA report generation does not use the vulnerable OWC code path."

Still confused? You're not alone.

"David's Web page seems pretty confusing. He tries to say that the servers aren't vulnerable, but at the same time, he says putting in the mitigation (killbit) doesn't break anything," stated Eric Schultze, chief technology officer at Shavlik Technologies, in an e-mail. "I read this and I'm not sure what his real recommendation is."

Schultze said Tuesday's ISA server patch pertained to a scenario involving password breaches provided the ISA Server was configured specifically for Radius One Time password parameters. That issue, after applying Tuesday's patch, is presumably resolved. However, the OWC problem is still up in the air.

"The OWC patch is simply a bad control," Schultze added. "If you're sitting on the ISA Server and you browse to an evil Web page and view an evil Excel workbook (via the OWC control), the attacker can run code on the system. The ISA Server can't be exploited unless someone at the ISA console goes to an evil Web page to view the file in question."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • stacks of science worksheets with scientific icons

    Kognity Intros Blended Learning Resources for Science Instruction

    Science education platform Kognity has launched a suite of blended learning resources for its four science courses: Biology, Chemistry, Physics, and Earth & Space Science.

  • a cloud, an AI chip, and a padlock interconnected by circuit-like lines

    CrowdStrike Report: Attackers Increasingly Targeting Cloud, AI Systems

    According to the 2025 Threat Hunting Report from CrowdStrike, adversaries are not just using AI to supercharge attacks — they are actively targeting the AI systems organizations deploy in production. Combined with a surge in cloud exploitation, this shift marks a significant change in the threat landscape for enterprises.

  • open laptop with data streams

    OpenAI Launches AI-Powered Web Browser

    OpenAI has unveiled ChatGPT Atlas, a standalone browser that places ChatGPT at the heart of everyday web activity. This release represents a major expansion of the company's efforts to reshape how users search, browse, and complete tasks online.

  • Person typing on laptop with education and learning icons floating around the screen

    StudyFetch Launches Free AI-Powered Literacy Platform

    Education platform StudyFetch has introduced StudyFetch Read, a free AI-powered literacy tool designed to provide personalized reading instruction for students.