Microsoft has released a patch for a critical flaw in its firewall product, Internet Security and Acceleration (ISA) Server 2000. The patch repairs a vulnerability in a popular communications standard.
The flaw is a buffer overflow in ISA Server's H.323 filter that enables multimedia communication, like real-time audio over networks. It's often used for voice over IP.
The vulnerability is rated "critical" by Microsoft because remote attackers can use the flaw in the H.323 filter to overflow a buffer in Microsoft Firewall Service, which would allow attackers to run code with the system privilege of the service. Microsoft has enabled the H.323 filter by default so that virtually anyone running ISA Server 2000 would be susceptible to attack.
Microsoft recommends a couple of workarounds for companies that can't install the patch right away. The first is disabling the H.323 filter. To do so, you:
- Open ISA management tool.
- Expand the Extensions container
- Expand the Application Filters container
- Select the H.323 Filter and then click "Disable"
- Restart the Microsoft Firewall Service Windows Components.
This workaround, however, will block H.323 traffic, so applications that rely on it, such as IP telephony and data collaboration software, won't work.
Users of vulnerable systems can also block TCP port 1720 at the gateway. The H.323 filter listens on the port, and blocking it would reduce the chances of getting attacked from the Internet. This workaround will also likely break applications that use H.323.
Microsoft also announced two other vulnerabilities: a "moderate" flaw in Exchange Server 2003 that could allow privilege escalation, and an "important" flaw that could allow attackers to run arbitrary code in Microsoft Data Access Components. MDAC ships with a variety of Microsoft products, including Windows Server 2003, Windows 2000 and XP, and SQL Server. MDAC enables database operations on Windows systems.
To some, a particular patch is notably lacking, namely one for the "0x01" URL-spoofing vulnerability in Internet Explorer. That flaw allows users to create legitimate-looking URLs that in fact link to bogus Web sites.
Thor Larholm, senior security researcher at Newport Beach, Calif.-based PivX Solutions LLC, disagrees. "Address spoofing is much less critical than code execution," he said.
Larholm is well-known for finding Internet Explorer vulnerabilities, but he considers the H.323 filter flaw in ISA more dangerous because it allows attackers to run code and because it's installed by default.
"Technically, the 0x01 flaw is not very critical. It can be used as part of social engineering, but once you get to the site you could tell it's not real," he said. Moreover, the vulnerability is fixed in Service Pack 2 for Windows XP, which is in beta now, Larholm said.
The Microsoft Data Access Components flaw is also pretty serious, Larholm said. It would probably be "critical" if local network access weren't needed to exploit it. "DSL or cable users may be vulnerable if they don't have a router or firewall," he said.
FOR MORE INFORMATION:
Click here for Microsoft security bulletin MS04-001
Click here for Microsoft security bulletin MS04-002
Click here for Microsoft security bulletin MS04-003
FEEDBACK: Should Microsoft have included a patch for the "0x01" URL spoofing vulnerability?
Send your feedback to the SearchSecurity.com news team.