Learn How Your ISA Server Helps Block VML Vulnerability Traffic (925568)
Note
This page was first published on Friday, September 22, 2006.
The first course of action taken against this attack must be protecting and patching all affected computers. Details of this issue can be found here.
The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2004 or 2006 to help block malicious traffic intended to exploit this attack and to protect computers on internal networks.
The first section of this article contains technical details about this attack:
- Affected Traffic
This article also discusses how ISA Server can mitigate against this attack:
- Caveats
- Helping to prevent this attack/attacks through ISA Server
- Protecting the ISA Server computer from this attack/attacks
This article also discusses:
- How to Make Sure ISA Server 2004 or ISA Server 2006 is Correctly Configured
Disclaimer
Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user’s own risk.
Affected Traffic
Table 1 lists affected traffic known to be used by this attack. This data is current as of 3:41 PM Thursday, September 21, 2006.
# | Protocol | Command | Known to Be Used by this attack? |
---|---|---|---|
1 |
HTTP (TCP:80) |
various |
Yes |
Note
Since this protocol/port is used for valid HTTP communications, blocking this protocol is not advised.
Table 2 lists HTTP Filter signatures. This data is current as of 3:41 PM Thursday, September 21, 2006.
# | Name | Description | Search in | Filter? |
---|---|---|---|---|
1 |
BlockVML1 |
Blocks VML namespace |
Response Body |
urn:schemas-microsoft-com:vml |
2 |
BlockVML2 |
Blocks VML tags |
Response Body |
<v: |
3 |
BlockVML3 |
Blocks VML style data |
Response Body |
v\: |
4 |
BlockVML4 |
Blocks VML namespace |
Response Body |
xmlns:v= |
5 |
BlockVML5 |
Blocks VML style tag |
Response Body |
url(#default#vml) |
Caveats
ISA Server 2000 cannot block this attack traffic unless a third-party web filter is installed which can scan HTTP traffic. Microsoft cannot provide guidance for third-party products.
ISA Server 2004 or ISA Server 2006 cannot block this attack traffic if the following is true:
- The Web Proxy Filter is disabled
- An access or Server publishing rule uses a custom HTTP protocol that does not use the Web Proxy Filter
- The traffic is carried in an SSL tunnel
Helping to Prevent this attack Attacks Through ISA Server
HTTP traffic is normally filtered by the Web proxy and HTTP filters. Because of this, the same blocking mechanisms can be applied to outbound traffic as to inbound traffic.
Protecting the ISA Server Computer from this attack Attacks
Any Windows host that runs Outlook is potentially vulnerable to this attack. You should not use your firewall as a workstation. If you do, you must apply any relevant updates or workarounds to the ISA Server as well.
How to Make Sure ISA Server 2004 or ISA Server 2006 is Correctly Configured
Note
This process can be automated using the block_vml.vbs script file available at https://isatools.org/tools.asp?Context=ISA2006.
To enable HTTP filtering for this attack in ISA Server 2004 or ISA Server 2006:
Enterprise Edition:
Enable the Enterprise Web Proxy and HTTP Filters
In ISA Management, expand Enterprise
Select Enterprise Add-ins
In the middle pane, select Application Filters
Ensure Web Proxy Filter is enabled
In the Middle pane, select Web Filters
Ensure HTTP Filter is enabled
Configure the Enterprise Policy Rules HTTP Filter Settings
- In ISA Management, expand Enterprise Policies
Note
If only one Enterprise policy exists, skip to Configure the Array Policy Rules HTTP Filter Settings in this section
- For each Enterprise Policy listed, select <EnterprisePolicyName>
- In the middle pane, right-click the first rule. If the rule does not provide Configure HTTP as an option, move to the next rule
- Select Configure HTTP
- In the Configure HTTP policy for rule dialog, select the Signatures tab
- For each item listed in Table 2, click Add
- In the Name field, enter the name of the signature definition from Table 2
- In the Description field, enter the description of the filter definition from Table 2
- In the Search in: field, select Response body
Note
At this point, you will see a pop-up noting that performance may be affected; click OK
- In the Signature field, enter the signature definition from Table 2
- Click OK
- Repeat steps 2 through 11 until all rules in all Enterprise Policies have been updated
Configure the Array Policy Rules HTTP Filter Settings
In ISA Management, expand Arrays
For each <ArrayName> listed, perform the steps outlined in Standard Edition, steps 2 through 10
When prompted, apply the settings
Standard Edition:
Enable the Web Proxy and HTTP Filters
In ISA Management, expand Arrays
Expand <ArrayName>, then Configuration
Select Add-ins
In the middle pane, select Application Filters
Ensure Web Proxy Filter is enabled
In the middle pane, select Web Filters
Ensure HTTP Filter is enabled
Configure the Array Policy Rules HTTP Filter Settings
In the middle pane, right-click the first rule. If the rule does not provide Configure HTTP as an option, move to the next rule
Select Configure HTTP
In the Configure HTTP policy for rule dialog, select Signatures
For each item listed in Table 2, click Add
In the Name field, enter the name of the signature definition from Table 2
In the Description field, enter the description of the filter definition from Table 2
In the Search in: field, select Response body
Note
At this point, you will see a pop-up noting that performance may be affected; click OK
- In the Signature field, enter the signature definition from Table 2
- Click OK
- Repeat steps 1 through 9 until all rules in all Array Rules have been updated
- When prompted, apply the settings
Related Topics
Other Resources
Security Advisory 925568
ISA Server 2000 Product Documentation
ISA Server 2004 Product Documentation
ISA Server 2006 Product Documentation