Microsoft Corp. Friday said that one of its security products, ISA (Internet Security and Acceleration) Server 2000, has three different security holes that could lead to denial of service attacks. Microsoft has issued a patch to fix all three vulnerabilities.
The flaws are unrelated and affect ISA Server's Voice over IP (Internet Protocol) capabilities, its Proxy service and ISA's error page generation. The first vulnerability concerns a memory leak in the H.323 Gatekeeper service, which allows VoIP traffic through a firewall. Each time malformed data is sent to this service, a small amount of the server's memory is depleted, Microsoft said. If such requests are sent frequently enough, the server would be slowed down to the point of disrupting normal use.
This problem is mitigated, however, in that the server can only be attacked if the H.323 Gatekeeper component is installed, something that only happens when a user chooses a "full installation," or to install everything on the software CD related to the application.
The second problem ISA Server faces is a denial of service problem in the software's Proxy service. This flaw, like the first, is also a memory leak that can cause a slowing of the server and lead to denial of service to legitimate users. This hole is made less serious because it can only be exploited by an internal user, Microsoft said.
Lastly, a complicated vulnerability in the way ISA Server handles error messages about irretrievable Web pages can allow an attacker to execute code and gain access to cookies on both the server and user machines. The flaw could be exploited if an attacker were able to trick a user into requesting a Web page that did not reside on a server. The false URL (Uniform Resource Locator) would also have to contain code. When ISA Server generates an error page stating that the requested page is not available, the code contained in the URL would run in the server's security domain and any cookies that server had set on the user's system would be available to the attacker. This vulnerability is limited in that the attacker would have to know which sites a user trusted, which sites had placed cookies on the user's computer and that the user had specific security settings that would allow the attack.
The H.323 Gatekeeper and Proxy Service flaws were discovered by Peter Grundl. The scripting hole was found by Hiromitsu Takagi.
More information about the vulnerabilities, as well as the patch to fix them, is located at http://www.microsoft.com/technet/security/bulletin/ms01-045.aspMicrosoft, in Redmond, Washington, can be reached at +1-425-882-8080 or via the Internet at http://www.microsoft.com.