Alert: Microsoft Security Bulletin MS04-001 - Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458)

• Previous message: rux_at_RUXCON.ORG: "RUXCON SYDNEY 2004 - CALL FOR PAPERS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 13 Jan 2004 15:24:49 -0500
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Microsoft Security Bulletin MS04-001:
Vulnerability in Microsoft Internet Security and Acceleration Server
2000 H.323 Filter Could Allow Remote Code Execution (816458)

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS04-001.asp

Summary:
 Version Number: V1.0
 Revision Date: 01-13-2004
 Impact of Vulnerability: Remote Code Execution
 Maximum Severity Rating: Critical
 Patch(es) Replaced: None
 Caveats: None
 CVE Number(s): CAN-2003-0819

Tested Software:
 Affected Software:
 * Microsoft Internet Security and Acceleration Server 2000
<http://www.ntbugtraq.com/link/CBE42990-4156-4E1D-9ACB-4CD449D9599B.asp>
 * Microsoft Small Business Server 2000 (which includes Microsoft
Internet Security and Acceleration Server 2000)
<http://www.ntbugtraq.com/link/CBE42990-4156-4E1D-9ACB-4CD449D9599B.asp>
 * Microsoft Small Business Server 2003 (which includes Microsoft
Internet Security and Acceleration Server 2000)
<http://www.ntbugtraq.com/link/CBE42990-4156-4E1D-9ACB-4CD449D9599B.asp>

 Software Not Affected:
 * Microsoft Proxy Server 2.0

Technical Description:

A security vulnerability exists in the H.323 filter for Microsoft
Internet Security and Acceleration Server 2000 that could allow an
attacker to overflow a buffer in the Microsoft Firewall Service in
Microsoft Internet Security and Acceleration Server 2000. An attacker
who successfully exploited this vulnerability could try to run code of
their choice in the security context of the Microsoft Firewall Service.
This would give the attacker complete control over the system. The H.323
filter is enabled by default on servers running ISA Server 2000
computers that are installed in integrated or firewall mode.

This email is sent to NTBugtraq automagically as a service to my
subscribers. (v2.2)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----
Editor's Note: The 43rd Most Powerful Person in Networking says...

Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.
-----

• Previous message: rux_at_RUXCON.ORG: "RUXCON SYDNEY 2004 - CALL FOR PAPERS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ISA & JT print ... > protocol definition for this to allow client access out. ... MicrosoftInternet Security and Acceleration Server 2000 ... (microsoft.public.backoffice.smallbiz) Re: External website ... same domain name ... Delete the ISA cache? ... How to Delete the Web Cache on Internet Security and Acceleration Server ... And I can ping it and it resolves correctly. ... (microsoft.public.backoffice.smallbiz2000) Re: cant download from microsoft ... not microsoft... ... i get page cannot be displayed errors. ... no, my firewall and internet security are disabled, as well as pop-up ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: msconfig question ... They are not from Microsoft, they are disguised to look like they are coming ... Evidentally your internet security settings are allowing these, ... "Norvin" wrote in message ... >> Spyware Blaster: www.javacoolsoftware.com/spywareblaster.html ... (microsoft.public.windowsxp.help_and_support) Re: Cannot get into RWW from outside ... > Pulling my hair out at this point. ... > Internet Security and Acceleration Server ... (microsoft.public.windows.server.sbs)