Microsoft fixes spoofing flaws in ISA, Proxy Server

By Bill Brenner, News Writer 10 Nov 2004 | SearchWindowsSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Microsoft has fixed a content spoofing vulnerability in ISA Server 2000 and Proxy Server 2.0. But the company's November security update doesn't address the Internet Explorer IFRAME flaw exploited by three new Mydoom variants since Monday.

"This month's issue doesn't appear to be something attackers are likely to exploit," said Thor Larholm, senior security researcher with Newport Beach, Calif.-based security firm PivX Solutions. "But I think Microsoft should have done more patching this month to fix the IFRAME problem. SP2 isn't affected by this vulnerability, which tells me Microsoft already has the means to fix this quickly. Hopefully, they'll fix this outside their monthly cycle."

This month's lone bulletin fixes a vulnerability an attacker could use to spoof trusted Internet content. "Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site," the bulletin said. "However, an attacker would first have to persuade a user to visit the attacker's site to attempt to exploit this vulnerability."

Microsoft described it as an "important" vulnerability and urged those who use the servers to install the update "at the earliest opportunity." At the same time, the company pointed out three mitigating factors:

• Attackers can't use the flaw to spoof an SSL certificate belonging to other domain names;
• An attacker would first have to persuade a user to view content that causes a reverse lookup to occur; and
• Systems that enable the default site and content rule permitting "all traffic" to "all destinations" are not affected by this vulnerability. However, the company said, the rule is generally disabled as a security best practice guideline and it doesn't recommend enabling it to block this problem.

This month's update is basically what Microsoft told customers to expect last week when it issued the first of what will be monthly early alerts, available to all customers three business days before each Patch Tuesday on the company's TechNet security site. It is also a much lighter update than what IT managers saw last month, when Microsoft issued 10 security bulletins -- seven of them critical -- to fix 22 vulnerabilities.

"This vulnerability doesn't look like a candidate for a massive exploit," said Craig Schmugar, virus research manager for Santa Clara, Calif.-based McAfee Inc.

It's unclear when Microsoft will issue a fix for the Internet Explorer IFRAME vulnerability. Several antivirus firms issued alerts Monday for two new Mydoom variants that exploit the flaw, which Danish security firm Secunia labeled "extremely critical." Schmugar said Tuesday that a third variant was in the wild.

Microsoft said last week it's investigating the security hole. "Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," a spokeswoman said last week.

"I wasn't expecting them to have a patch for the IFRAME vulnerability this quickly because of all the testing they have to do," Schmugar said. "I do wish they'd at least confirm the vulnerability or offer a workaround."

This article originally appeared on SearchSecurity.com.

Tags: Microsoft Internet Explorer (IE),  Network intrusion detection and prevention and malware removal,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Protection against international domain names, URL handling: Step 3 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Phishing filter: Step 2 Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary