• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

New 0Day affecting ISA

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> New 0Day affecting ISA Page: [1]
Login
Message << Older Topic   Newer Topic >>
New 0Day affecting ISA - 14.Jul.2009 7:22:20 AM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
I was hoping to get some information on how this new 0day exploit that was released to the public yesterday (7-13-09) will affect an ISA 2006 installation.

http://www.microsoft.com/technet/security/advisory/973472.mspx

There is no real explanation for how it affects ISA specifically.  From the sounds of it, it would only affect ISA if someone was logged on to the physical server and browsed to an affected page.

Thanks,

Ryan
Post #: 1
RE: New 0Day affecting ISA - 14.Jul.2009 8:39:05 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ryan,

quote:

Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

This is not an ISA Server software vulnerability. That´s the reason why we from ISAserver.org recommend´s not install any additional software not related to ISA Firewall. And also, not use ISA Firewall as a workstation.

If you follow these recommendations, then you´ll have no problem with this advisory.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to rmharp)
Post #: 2
RE: New 0Day affecting ISA - 14.Jul.2009 8:43:30 AM   
rmharp

 

Posts: 49
Joined: 18.May2006
Status: offline
quote:

ORIGINAL: paulo.oliveira

Hi Ryan,

quote:

Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

This is not an ISA Server software vulnerability. That´s the reason why we from ISAserver.org recommend´s not install any additional software not related to ISA Firewall. And also, not use ISA Firewall as a workstation.

If you follow these recommendations, then you´ll have no problem with this advisory.

Regards,
Paulo Oliveira.


While I realize it is not an ISA vulnerability, the technet site lists ISA specifically under it's affected software, while not listing Windows Server 2003 specifically so I found it a bit odd.  Isn't the first time I have found something Microsoft did odd, nor will it be the last.

-Ryan

(in reply to paulo.oliveira)
Post #: 3
RE: New 0Day affecting ISA - 14.Jul.2009 8:48:22 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ryan,

I think they refer to ISA because of this:
quote:


In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

If you have a web publishing rule, then an attacker can host a malicious code on it. If this is the case, then the best option now is apply Microsoft workaround.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to rmharp)
Post #: 4
RE: New 0Day affecting ISA - 14.Jul.2009 8:55:36 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
It lists it for the very reason that ISA installation's add those components to the machine you install ISA on.

I blogged about this yesterday, but till now I have not had the time to see which part of ISA(might be a poor chose of words) will install those components:
http://www.carbonwind.net/blog/post/2009/07/13/Heads-up-ISA-Server-20042006-admins-Vulnerability-in-Microsoft-Office-Web-Components-ActiveX-Could-Allow-Remote-Code-Execution.aspx

Basically can be used in a "browse and get owned" scenario. Normally only a silly person would browse from ISA itself, but if you install ISA's mmc on a machine and, in case(I don't know now for sure) those components are installed, you start to browse the web from that machine, you may get p0wned.

It is said that the vulnerability is actively exploited right now:
http://isc.sans.org/diary.html?storyid=6778

As usually, everyone should take the actions deemed necessary to protect their networks, if any. If you want to mitigate this, just run the tool provided by Microsoft to set the killbit.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to rmharp)
Post #: 5
RE: New 0Day affecting ISA - 14.Jul.2009 1:59:36 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Here is some detailed information regarding the vulnerability...

http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

If you are following security best practices and are not browsing web sites from the ISA firewall, the risk is completely mitigated.  We all know that some people do in fact do this, however. 

FYI...the Office Web Components (OWC) are not installed as a part of the operating system, and as such Windows Server 2003 is not listed as effected.  The OWC are included with various applications, ISA being one of them (OWC is used as a part of the reporting tools).

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to adimcev)
Post #: 6
RE: New 0Day affecting ISA - 15.Jul.2009 8:22:49 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
And I think this is a critical distinction. We harp on about not using the firewall as a workstation and not calling it a SERVER. Why? To get people out of the mindset of thinking they're working with a workstation or a machine that can be used for email, browsing etc.

It's a firewall, not a "computer", "server", or whatever. If admins keep that in mind they reduce their attack surface by orders of magnitude.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to richardhicks)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> New 0Day affecting ISA Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts