Export (0) Print
Expand All

Learn How Your ISA Server Helps Block VML Vulnerability Traffic (925568)

Cc514300.note(en-us,TechNet.10).gifNote:
This page was first published on Friday, September 22, 2006.

The first course of action taken against this attack must be protecting and patching all affected computers. Details of this issue can be found here.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2004 or 2006 to help block malicious traffic intended to exploit this attack and to protect computers on internal networks.

The first section of this article contains technical details about this attack:

  • Affected Traffic

This article also discusses how ISA Server can mitigate against this attack:

  • Caveats
  • Helping to prevent this attack/attacks through ISA Server
  • Protecting the ISA Server computer from this attack/attacks

This article also discusses:

  • How to Make Sure ISA Server 2004 or ISA Server 2006 is Correctly Configured

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user’s own risk.

Table 1 lists affected traffic known to be used by this attack. This data is current as of 3:41 PM Thursday, September 21, 2006.

# Protocol Command Known to Be Used by this attack?

1

HTTP (TCP:80)

various

Yes

Cc514300.note(en-us,TechNet.10).gifNote:
Since this protocol/port is used for valid HTTP communications, blocking this protocol is not advised.

Table 2 lists HTTP Filter signatures. This data is current as of 3:41 PM Thursday, September 21, 2006.

# Name Description Search in Filter?

1

BlockVML1

Blocks VML namespace

Response Body

urn:schemas-microsoft-com:vml

2

BlockVML2

Blocks VML tags

Response Body

<v:

3

BlockVML3

Blocks VML style data

Response Body

v\:

4

BlockVML4

Blocks VML namespace

Response Body

xmlns:v=

5

BlockVML5

Blocks VML style tag

Response Body

url(#default#vml)

ISA Server 2000 cannot block this attack traffic unless a third-party web filter is installed which can scan HTTP traffic. Microsoft cannot provide guidance for third-party products.

ISA Server 2004 or ISA Server 2006 cannot block this attack traffic if the following is true:

  • The Web Proxy Filter is disabled
  • An access or Server publishing rule uses a custom HTTP protocol that does not use the Web Proxy Filter
  • The traffic is carried in an SSL tunnel

HTTP traffic is normally filtered by the Web proxy and HTTP filters. Because of this, the same blocking mechanisms can be applied to outbound traffic as to inbound traffic.

Any Windows host that runs Outlook is potentially vulnerable to this attack. You should not use your firewall as a workstation. If you do, you must apply any relevant updates or workarounds to the ISA Server as well.

Cc514300.note(en-us,TechNet.10).gifNote:
This process can be automated using the block_vml.vbs script file available at http://isatools.org/tools.asp?Context=ISA2006.

To enable HTTP filtering for this attack in ISA Server 2004 or ISA Server 2006:

Enterprise Edition:

Enable the Enterprise Web Proxy and HTTP Filters
  1. In ISA Management, expand Enterprise

  2. Select Enterprise Add-ins

  3. In the middle pane, select Application Filters

  4. Ensure Web Proxy Filter is enabled

  5. In the Middle pane, select Web Filters

  6. Ensure HTTP Filter is enabled

Configure the Enterprise Policy Rules HTTP Filter Settings
  1. In ISA Management, expand Enterprise Policies

Cc514300.note(en-us,TechNet.10).gifNote:
If only one Enterprise policy exists, skip to Configure the Array Policy Rules HTTP Filter Settings in this section
  1. For each Enterprise Policy listed, select <EnterprisePolicyName>
  2. In the middle pane, right-click the first rule. If the rule does not provide Configure HTTP as an option, move to the next rule
  3. Select Configure HTTP
  4. In the Configure HTTP policy for rule dialog, select the Signatures tab
  5. For each item listed in Table 2, click Add
  6. In the Name field, enter the name of the signature definition from Table 2
  7. In the Description field, enter the description of the filter definition from Table 2
  8. In the Search in: field, select Response body
Cc514300.note(en-us,TechNet.10).gifNote:
At this point, you will see a pop-up noting that performance may be affected; click OK
  1. In the Signature field, enter the signature definition from Table 2
  2. Click OK
  3. Repeat steps 2 through 11 until all rules in all Enterprise Policies have been updated
Configure the Array Policy Rules HTTP Filter Settings
  1. In ISA Management, expand Arrays

  2. For each <ArrayName> listed, perform the steps outlined in Standard Edition, steps 2 through 10

  3. When prompted, apply the settings

Standard Edition:

Enable the Web Proxy and HTTP Filters
  1. In ISA Management, expand Arrays

  2. Expand <ArrayName>, then Configuration

  3. Select Add-ins

  4. In the middle pane, select Application Filters

  5. Ensure Web Proxy Filter is enabled

  6. In the middle pane, select Web Filters

  7. Ensure HTTP Filter is enabled

Configure the Array Policy Rules HTTP Filter Settings
  1. In the middle pane, right-click the first rule. If the rule does not provide Configure HTTP as an option, move to the next rule

  2. Select Configure HTTP

  3. In the Configure HTTP policy for rule dialog, select Signatures

  4. For each item listed in Table 2, click Add

  5. In the Name field, enter the name of the signature definition from Table 2

  6. In the Description field, enter the description of the filter definition from Table 2

  7. In the Search in: field, select Response body

Cc514300.note(en-us,TechNet.10).gifNote:
At this point, you will see a pop-up noting that performance may be affected; click OK
  1. In the Signature field, enter the signature definition from Table 2
  2. Click OK
  3. Repeat steps 1 through 9 until all rules in all Array Rules have been updated
  4. When prompted, apply the settings
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft