Tom Decaluwé

Since it’s release back in 2006 ISA has held a high reputation as there have been 0 security bulletins in over 3 years.

http://www.microsoft.com/technet/security/Bulletin/MS09-016.mspx

Patch Tuesday 14 April 2009 has however changed this spotless track as the first security bulletin has been release fixing two issues within ISA 2004 / 2006 and TMG

Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077

A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. The vulnerability could allow a remote user to cause a Web listener to stop responding to new requests.

• Cross-Site Scripting Vulnerability - CVE-2009-0237

A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, cookieauth.dll, which could allow malicious script code to run on the machine of another user under the guise of the server running cookieauth.dll. This is a non-persistent cross-site scripting vulnerability that can lead to spoofing and information disclosure.

Both issues are more than serious enough to validate patching your ISA servers that are publishing websites to the outside world ASAP. I have patched my systems and have had no issues.

This update requires your ISA’s to be rebooted after the update is installed and will stop the ISA services during installation.

On the bright side it is well worth mentioning this vulnerability was detected by MS internally after and shows how committed Microsoft and the ISA team is towards building secure and reliable software. No cover-up story, un mentioned fixes or other bull sh*t, just an open and honest bulleting with an honest patch to fix the problem.

So get cracking, patch your ISA’s now and you’ll once again have the best firewall out there!