[SX-20010320-2b] - Followup re. Microsoft ISA Server Denial of Service


FSC Internet Corp. / SecureXpert Labs Advisory [SX-20010320-2b] This is a follow-up to: [SX-20010320-2] Denial of Service in Microsoft ISA server v1.0 Several individuals have pointed out an easier exploit scenario for this vulnerability, which additionally does NOT require the Web Publishing feature of ISA server to be active. The new exploit consists simply of sending an HTML email message containing an IMG tag with a SRC value URL of the form described in [SX-20010320-2] to a recipient within the protected network. When this message is read, the recipient's web browser will generate an HTTP request which will trigger the W3PROXY.EXE access violation and therefore the denial of service. Another variation involves sending an HTML email message containing Javascript or VBScript which generates such a URL request to a recipient within the protected network. However, some web browsers may be configured not to execute Javascript VBScript within the context of an email message. Status Microsoft Corp. was informed of this additional exploit scenario on April 17, 2001. The hotfix issued by Microsoft on April 16, 2001 already provides a solution for this additional scenario. Credits Richard Reiner, SecureXpert Labs Graham Wiseman, SecureXpert Labs Matthew Siemens, SecureXpert Labs Kent Nicolson, SecureXpert Labs Hank Leininger <hlein@progressive-comp.com> About SecureXpert DIRECT SecureXpert DIRECT is an advance security advisory service provided to qualified subscribers by SecureXpert Labs. Subscriptions are free of charge and may be obtained at http://www.securexpert.com/services.html.