Microsoft Security Bulletin MS09-016 - Important

Microsoft has not identified any mitigating factors for this vulnerability.

Microsoft has not identified any workarounds for this vulnerability.

What is the scope of the vulnerability? 
This is a denial of service vulnerability. A remote, anonymous attacker who successfully exploited this vulnerability could cause the affected Web listener to become non-responsive.

What causes the vulnerability? 
This vulnerability results because firewall engine state management does not handle the session state correctly for Web listeners. This limitation could lead to orphaned open sessions that can cause a denial of service.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could cause the affected system's Web listener to become non-responsive.

How could an attacker exploit the vulnerability? 
An attacker could exploit this vulnerability by sending specially crafted network packets to the affected system.

What systems are primarily at risk from the vulnerability? 
Forefront TMG MBE, ISA Server 2004, and ISA Server 2006 systems are primarily at risk from this vulnerability.

What does the update do? 
The update addresses this vulnerability by modifying the way that the firewall engine handles the TCP state for Web listeners.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-0077.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• ISA Server 2006 and Forefront TMG MBE deployments that do not have any Web publishing rules are not vulnerable by default. If ISA Server 2006 or Forefront TMG MBE is installed in a traditional firewall role and is not publishing any internal Web sites to the Internet, the vulnerable Web Filter will not be exposed (the port will be blocked).
• ISA Server 2006 or Forefront TMG MBE deployments that are used for Web publishing but are not using HTML forms authentication are not vulnerable.
• Even if Web publishing is enabled, the vulnerable code is exposed only if HTML forms authentication is enabled on the default Web listener.
  
  Note Forefront TMG MBE as installed with Windows Essential Business Server is configured for forms-based authentication on the External Web Listener by default.

Microsoft has not identified any workarounds for this vulnerability.

What is the scope of the vulnerability? 
This is a non-persistent cross-site scripting (XSS) vulnerability. An attacker who successfully exploited this vulnerability could cause script code to run on the machine of another user in the guise of a third-party Web site. Such script code would run inside the browser when visiting the third-party Web site, and could take any action on the user's computer that the third-party Web site was permitted to take. The vulnerability could only be exploited if the user clicked on a hypertext link, either in an HTML e-mail or if the user visited an attacker's Web site or a Web site containing content that is under the attacker’s control.

What causes the vulnerability? 
This vulnerability results from improper input validation of the HTTP stream. This error provides the ability to execute a cross-site scripting attack through the cookieauth.dll component in ISA Server or Microsoft Forefront TMG MBE.

What is cross-site scripting? 
Cross-site scripting (XSS) is a class of security vulnerability that can enable an attacker to "inject" script code into a user's session with a Web site. The vulnerability can affect Web servers that dynamically generate HTML pages. If these servers embed browser input in the dynamic pages that they send back to the browser, these servers can be manipulated to include maliciously supplied content in the dynamic pages. This can allow malicious script to be executed. Web browsers may perpetuate this problem through their assumptions of "trusted" sites and their use of cookies to maintain persistent state with the Web sites that they frequent. An XSS attack does not modify Web site content. Instead, it inserts new, malicious script that can execute at the browser in the context that is associated with a trusted server.

How does cross-site scripting work? 
Web pages contain text and HTML markup. Text and HTML markup are generated by the server and are interpreted by the client. If untrusted content is introduced into a dynamic page, neither the server nor the client has sufficient information to recognize that this injection has occurred and to take protective measures.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.

How could an attacker exploit the vulnerability? 
An attacker could exploit this vulnerability by having a user visit the affected Web site using a specially crafted URL. This can be done by way of any medium that can contain URL Web links controlled by the attacker, such as a link in an e-mail, on a Web site, or a redirect on a Web site. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the affected Web site using a specially crafted URL, or to the attacker's Web site.

What systems are primarily at risk from the vulnerability? 
ISA Server 2006 and Forefront TMG MBE systems that make use of HTML forms authentication are primarily at risk from this vulnerability.

What does the update do? 
The update addresses this vulnerability by modifying the way that cookieauth.dll validates HTTP forms authentication input.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.