Security Bulletin

Microsoft Security Bulletin MS09-016 - Important

Published: April 14, 2009 | Updated: July 23, 2009

Version: 1.2

This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). These vulnerabilities could allow denial of service if an attacker sends specially crafted network packets to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.

This security update is rated Important for Forefront TMG MBE, ISA Server 2004, and ISA Server 2006. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that the firewall engine handles the TCP state and the way that HTTP forms authentication handles input. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. Microsoft Knowledge Base Article 961759 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

*Microsoft Forefront TMG MBE is delivered both as a standalone product and as a component of Windows Essential Business Server 2008.

**Microsoft ISA Server 2004 Standard Edition is delivered as a standalone product. Microsoft ISA Server 2004 Standard Edition is also delivered as a component of Windows Small Business Server 2003 Premium Edition Service Pack 1 and Windows Small Business Server 2003 R2 Premium Edition.

Non-Affected Software

Where are the file information details? 
The file information details can be found in Microsoft Knowledge Base Article 961759.

Why does this update address several reported security vulnerabilities? 
This update contains support for several vulnerabilities because the modifications that are required to address these issues are related to the same functionality. Instead of having to install several updates that are almost the same, customers need to install this update only.

If I reconfigure an existing TMG management-only installation to a full firewall or proxy installation, do I need to reapply the update?
Yes. If you have applied this update and then reconfigured a TMG management-only installation to a full firewall or proxy installation, you must reapply the KB968075 update.

If I upgrade an existing ISA Server 2006 installation to the ISA Server 2006 Supportability Update or to ISA Server 2006 Service Pack 1, do I need to reapply the update?
Yes. If you have applied this update and then upgraded from ISA Server 2006 to the ISA Server 2006 Supportability Update or ISA Server 2006 Service Pack 1, or upgraded from ISA Server 2006 Supportability Update to ISA Server 2006 Service Pack 1, you must apply the KB968078 package that corresponds to the newly installed ISA Server 2006 Supportability Update or ISA Server 2006 Service Pack 1.

I am using an older release of the software discussed in this security bulletin. What should I do? 
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.

Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the April bulletin summary. For more information, see Microsoft Exploitability Index.

A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. The vulnerability could allow a remote user to cause a Web listener to stop responding to new requests.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0077.

Microsoft has not identified any mitigating factors for this vulnerability.

Microsoft has not identified any workarounds for this vulnerability.

What is the scope of the vulnerability? 
This is a denial of service vulnerability. A remote, anonymous attacker who successfully exploited this vulnerability could cause the affected Web listener to become non-responsive.

What causes the vulnerability? 
This vulnerability results because firewall engine state management does not handle the session state correctly for Web listeners. This limitation could lead to orphaned open sessions that can cause a denial of service.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could cause the affected system's Web listener to become non-responsive.

How could an attacker exploit the vulnerability? 
An attacker could exploit this vulnerability by sending specially crafted network packets to the affected system.

What systems are primarily at risk from the vulnerability? 
Forefront TMG MBE, ISA Server 2004, and ISA Server 2006 systems are primarily at risk from this vulnerability.

What does the update do? 
The update addresses this vulnerability by modifying the way that the firewall engine handles the TCP state for Web listeners.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-0077.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, cookieauth.dll, which could allow malicious script code to run on the machine of another user under the guise of the server running cookieauth.dll. This is a non-persistent cross-site scripting vulnerability that can lead to spoofing and information disclosure.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0237.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• ISA Server 2006 and Forefront TMG MBE deployments that do not have any Web publishing rules are not vulnerable by default. If ISA Server 2006 or Forefront TMG MBE is installed in a traditional firewall role and is not publishing any internal Web sites to the Internet, the vulnerable Web Filter will not be exposed (the port will be blocked).
• ISA Server 2006 or Forefront TMG MBE deployments that are used for Web publishing but are not using HTML forms authentication are not vulnerable.
• Even if Web publishing is enabled, the vulnerable code is exposed only if HTML forms authentication is enabled on the default Web listener.
  Note Forefront TMG MBE as installed with Windows Essential Business Server is configured for forms-based authentication on the External Web Listener by default.

Microsoft has not identified any workarounds for this vulnerability.

What is the scope of the vulnerability? 
This is a non-persistent cross-site scripting (XSS) vulnerability. An attacker who successfully exploited this vulnerability could cause script code to run on the machine of another user in the guise of a third-party Web site. Such script code would run inside the browser when visiting the third-party Web site, and could take any action on the user's computer that the third-party Web site was permitted to take. The vulnerability could only be exploited if the user clicked on a hypertext link, either in an HTML e-mail or if the user visited an attacker's Web site or a Web site containing content that is under the attacker’s control.

What causes the vulnerability? 
This vulnerability results from improper input validation of the HTTP stream. This error provides the ability to execute a cross-site scripting attack through the cookieauth.dll component in ISA Server or Microsoft Forefront TMG MBE.

What is cross-site scripting? 
Cross-site scripting (XSS) is a class of security vulnerability that can enable an attacker to "inject" script code into a user's session with a Web site. The vulnerability can affect Web servers that dynamically generate HTML pages. If these servers embed browser input in the dynamic pages that they send back to the browser, these servers can be manipulated to include maliciously supplied content in the dynamic pages. This can allow malicious script to be executed. Web browsers may perpetuate this problem through their assumptions of "trusted" sites and their use of cookies to maintain persistent state with the Web sites that they frequent. An XSS attack does not modify Web site content. Instead, it inserts new, malicious script that can execute at the browser in the context that is associated with a trusted server.

How does cross-site scripting work? 
Web pages contain text and HTML markup. Text and HTML markup are generated by the server and are interpreted by the client. If untrusted content is introduced into a dynamic page, neither the server nor the client has sufficient information to recognize that this injection has occurred and to take protective measures.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site.

How could an attacker exploit the vulnerability? 
An attacker could exploit this vulnerability by having a user visit the affected Web site using a specially crafted URL. This can be done by way of any medium that can contain URL Web links controlled by the attacker, such as a link in an e-mail, on a Web site, or a redirect on a Web site. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the affected Web site using a specially crafted URL, or to the attacker's Web site.

What systems are primarily at risk from the vulnerability? 
ISA Server 2006 and Forefront TMG MBE systems that make use of HTML forms authentication are primarily at risk from this vulnerability.

What does the update do? 
The update addresses this vulnerability by modifying the way that cookieauth.dll validates HTTP forms authentication input.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Manage the software and security updates you need to deploy to the servers, desktop, and mobile systems in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, "MS07-036"), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Detection and Deployment Guidance

Microsoft has provided detection and deployment guidance for this month’s security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update, such as Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool. For more information, see Microsoft Knowledge Base Article 910723.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

The following table provides the MBSA detection summary for this security update.

For more information about MBSA 2.1, see MBSA 2.1 Frequently Asked Questions.

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server

The following table provides the SMS detection and deployment summary for this security update.

For SMS 2.0 and SMS 2003, the SMS SUS Feature Pack (SUSFP), which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. See also Downloads for Systems Management Server 2.0.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. See also Downloads for Systems Management Server 2003.

System Center Configuration Manager 2007 uses WSUS 3.0 for detection of updates. For more information about Configuration Manager 2007 Software Update Management, visit System Center Configuration Manager 2007.

For more information about SMS, visit the SMS Web site.

For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0.

The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Installing the Update

You can install the update from the appropriate download link in the Affected and Non-Affected Software section.

This security update supports the following setup switches.

Note You can combine these switches into one command.

Note for installing with user interaction. When installing this update with user interaction (such as by double-clicking the .msp package or omitting the /quiet switch), a dialog box may appear stating that files to be updated are currently in use. This is expected behavior. To continue installing the update, click Ignore.

Verifying That the Update Has Been Applied

• Microsoft Baseline Security Analyzer

  To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

• File Version Verification

  Because there are several versions and editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

  1. Click Start, and then click Search.
  2. In the Search Results pane, click All files and folders under Search Companion.
  3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
  4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
  5. On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
     Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Installing the Update

You can install the update from the appropriate download link in the Affected and Non-Affected Software section.

This security update supports the following setup switches.

Note You can combine these switches into one command.

Verifying That the Update Has Been Applied

• Microsoft Baseline Security Analyzer

  To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

• File Version Verification

  Because there are several versions and editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

  1. Click Start, and then click Search.
  2. In the Search Results pane, click All files and folders under Search Companion.
  3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
  4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
  5. On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
     Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Installing the Update

You can install the update from the appropriate download link in the Affected and Non-Affected Software section.

This security update supports the following setup switches.

Note You can combine these switches into one command.

Verifying That the Update Has Been Applied

• Microsoft Baseline Security Analyzer

  To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.

• File Version Verification

  Because there are several versions and editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.

  1. Click Start, and then click Search.
  2. In the Search Results pane, click All files and folders under Search Companion.
  3. In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
  4. In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
  5. On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
     Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

Microsoft thanks the following for working with us to help protect customers:

• New York State Chief Information Officer / Office for Technology for reporting the Cross-Site Scripting Vulnerability (CVE-2009-0237)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

• Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
• International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

• V1.0 (April 14, 2009): Bulletin published.
• V1.1 (April 22, 2009): Corrected registry key verification entries in the deployment reference tables for ISA Server 2004 and ISA Server 2006.
• V1.2 (July 23, 2009): Added a link to Microsoft Knowledge Base Article 961759 under Known Issues in the Executive Summary.

Built at 2014-04-18T13:49:36Z-07:00