Microsoft Security Advisory MS04-039 - A spoofing vulnerability exists that can enable an attacker to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site.
064efe33186d9c48dd686d2d40f88f2be3bece822a8b4753e81a66b11827539c<h1>Microsoft Security Bulletin MS04-039</h1><h2 class="subtitle">Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)</h2><div style="height: 18px"></div><p><b>Issued:</b> November 9, 2004<br><b>Updated:</b> November 9, 2004<br><b>Version:</b> 2.0<br></p><a name="ESAA"></a><h3>Summary</h3><div id="sl1-ESAA"><p><b>Who should read this document:</b> Customers who use Microsoft Proxy Server 2.0 or Microsoft Internet Security and Acceleration (ISA) Server 2000</p><p><b>Impact of Vulnerability:</b> Spoofing</p><p><b>Maximum Severity Rating: </b>Important</p><p><b>Recommendation: </b>Customers should install the update at the earliest opportunity.</p><p><b>Security Update Replacement: </b>None </p><p><b>Caveats: </b>None</p><p><b>Tested Software and Security Update Download Locations:</b></p><p><b>Affected Software: </b></p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Microsoft Proxy Server 2.0 Service Pack 1– <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=55643141-91E3-4474-8134-72887BC6FC18">Download the update</a></p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Microsoft Internet Security and Acceleration Server 2000 Service Pack 1 and Microsoft Internet Security and Acceleration Server 2000 Service Pack 2 – <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=7A4C318F-5AC9-4CF2-8792-A4A62076EBE7">Download the update</a></p><p><b>Note </b>The following software programs include Microsoft Internet Security and Acceleration Server 2000 (ISA Server 2000). Customers using these software programs should install the provided ISA Server 2000 security update.</p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Microsoft Small Business Server 2000</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Microsoft Small Business Server 2003 Premium Edition</p></td></tr></table></td></tr></table><p><b>Non-Affected Software:</b></p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Microsoft Internet Security and Acceleration (ISA) Server 2004</p></td></tr></table><p>The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following <a href="http://go.microsoft.com/fwlink/?LinkId=21742">Microsoft Support Lifecycle Web site</a>.</p><div style="margin-top: 3px; margin-bottom: 10px"><a href="#ESAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#ESAA">Top of section</a></div></div><h2 class="extra">General Information</h2><div class="expandoIndent" style="margin-bottom:15px;"><a name="EDRAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:6px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l1-EDRAA\')"><img width="9" height="9" border="0" id="is3l1-EDRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l1-EDRAA\')"><img width="9" height="9" border="0" id="is3l1-EDRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l1-EDRAA\')" style="text-decoration:none;">');
</script><h3>Executive Summary</h3><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l1-EDRAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l1-EDRAA'); }
</script><div class="expandoIndent"><p><b>Executive Summary:</b></p><p>This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. This vulnerability could enable an attacker to spoof trusted Internet content.</p><p>We recommend that customers install the update at the earliest opportunity. </p><p><b>Severity Ratings and Vulnerability Identifiers:</b></p><table cellspacing="0" class="dataTable" id="EBDRAA" cellpadding="0"><thead><tr valign="top" class="stdHeader"><td id="colEDBBDRAA">Vulnerability Identifiers</td><td id="colECBBDRAA">Impact of Vulnerability</td><td id="colEBBBDRAA">ISA Server 2000</td><td id="colEABBDRAA" style="border-right: solid 1px #CCCCCC">Proxy Server 2.0</td></tr></thead><tbody><tr valign="top" class="record"><td><p class="lastInCell">Spoofing Vulnerability - <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0892">CAN-2004-0892</a></p></td><td><p class="lastInCell">Spoofing</p></td><td><p class="lastInCell">Important</p></td><td style="border-right: solid 1px #CCCCCC"><p class="lastInCell">Important</p></td></tr></tbody></table><div class="dataTableBottomMargin"></div><p>This <a href="http://go.microsoft.com/fwlink/?LinkId=21140">assessment</a> is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.</p></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EDRAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EDRAA">Top of section</a></div></div><a name="ECRAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:6px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l1-ECRAA\')"><img width="9" height="9" border="0" id="is3l1-ECRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l1-ECRAA\')"><img width="9" height="9" border="0" id="is3l1-ECRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l1-ECRAA\')" style="text-decoration:none;">');
</script><h3>Frequently asked questions (FAQ) related to this security update</h3><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l1-ECRAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l1-ECRAA'); }
</script><div class="expandoIndent"><p><b>Why was this security bulletin updated on November 9, 2004?</b><br>After the release of the MS04-039 security bulletin, Microsoft became aware of an issue affecting ISA Server 2000 customers deploying the German language version of the security update. The originally released version of the ISA Server 2000 German language security update required ISA Server 2000 Service Pack 2. The updated version of the ISA Server 2000 German language security update can be installed on ISA Server 2000 systems using ISA Server 2000 Service Pack 1 or ISA Server 2000 Service Pack 2. This issue only affected the German language version of the security update. The original version of this security update did protect against the vulnerability described in this security bulletin. Customers using the German language version of ISA Server 2000 Service Pack 2 who successfully installed the originally released security update do not need to take any action.</p><p><b>Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?</b><br>No. MBSA does not currently support the detection of the affected products. For detailed information about the programs that MBSA currently does not detect, see <a href="http://support.microsoft.com/kb/306460">Microsoft Knowledge Base Article 306460</a>. If you have installed any of the programs that are listed in the Affected Software section of this security bulletin, you may have to manually install the required update. For more information about MBSA, visit the <a href="http://go.microsoft.com/fwlink/?LinkId=21134">MBSA Web site</a>.</p><p><b>Can I use Systems Management Server (SMS) to determine if this update is required?</b><br>Yes. SMS can help detect and deploy this security update. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to programs that MBSA does not detect. Although SMS cannot detect the affected software using MBSA, administrators can use SMS to find the affected files and update them. You can also deploy this update using the <a href="http://go.microsoft.com/fwlink/?LinkId=33333">Inventory and Software Distribution</a> feature of SMS. For information about SMS, visit the <a href="http://go.microsoft.com/fwlink/?LinkId=21158">SMS Web site</a>.</p><p></p><p><b>Can I use SMS to determine if programs are installed that have to be updated?</b><br>Yes. SMS can help detect if there are programs installed that may have installed a version of the vulnerable component. For ISA Server 2000, SMS can search for the existence of the Msphlpr.dll file. Update all versions of the Msphlpr.dll file that are earlier than version 3.0.1200.408. For Proxy Server 2.0 Service Pack 1, review the file information in the Proxy Server 2.0 Service Pack 1 Security Update Information section of this security bulletin for complete file information details.</p></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#ECRAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#ECRAA">Top of section</a></div></div><a name="EBRAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:6px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l1-EBRAA\')"><img width="9" height="9" border="0" id="is3l1-EBRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l1-EBRAA\')"><img width="9" height="9" border="0" id="is3l1-EBRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l1-EBRAA\')" style="text-decoration:none;">');
</script><h3>Vulnerability Details</h3><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l1-EBRAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l1-EBRAA'); }
</script><div class="expandoIndent"><a name="EABRAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:2px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l2-EABRAA\')"><img width="9" height="9" border="0" id="is3l2-EABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l2-EABRAA\')"><img width="9" height="9" border="0" id="is3l2-EABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l2-EABRAA\')" style="text-decoration:none;">');
</script><h4>Spoofing Vulnerability - CAN-2004-0892:</h4><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l2-EABRAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l2-EABRAA'); }
</script><div class="expandoIndent"><p>This is a spoofing vulnerability that exists in the affected products and that could enable an attacker to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site. However, an attacker would first have to persuade a user to visit the attacker’s site to attempt to exploit this vulnerability.</p><a name="ECABRAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:2px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l3-ECABRAA\')"><img width="9" height="9" border="0" id="is3l3-ECABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l3-ECABRAA\')"><img width="9" height="9" border="0" id="is3l3-ECABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l3-ECABRAA\')" style="text-decoration:none;">');
</script><h5>Mitigating Factors for Spoofing Vulnerability - CAN-2004-0892:</h5><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l3-ECABRAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l3-ECABRAA'); }
</script><div class="expandoIndent"><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>This vulnerability would not allow an attacker to spoof an SSL certificate. An attacker would not be able to successfully use SSL certificates that belong to other domain names. For example, a spoofed Web site cannot use a trusted Web site’s SSL certificate to establish an SSL session with a user. If a spoofed Web site tries to do this, authentication fails and the user receives a warning message.</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>An attacker would first have to persuade a user view content that causes a reverse lookup to occur. For example, an attacker could persuade a user to visit the attacker’s Web site by using an IP address that would cause a reverse lookup to occur.</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Systems that enable the default Site and Content rule permitting “All traffic” to “All Destinations” are not affected by this vulnerability. However this rule is generally disabled as a security best practice guideline and we do not recommend enabling to help mitigate this issue vulnerability.</p></td></tr></table></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#ECABRAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#ECABRAA">Top of section</a></div></div><a name="EBABRAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:2px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l3-EBABRAA\')"><img width="9" height="9" border="0" id="is3l3-EBABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l3-EBABRAA\')"><img width="9" height="9" border="0" id="is3l3-EBABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l3-EBABRAA\')" style="text-decoration:none;">');
</script><h5>Workarounds for Spoofing Vulnerability - CAN-2004-0892:</h5><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l3-EBABRAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l3-EBABRAA'); }
</script><div class="expandoIndent"><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><b>Set the DNS Cache size to zero on the affected software.</b><br>Setting the DNS Cache size to zero effectively disables DNS caching on the affected system. This would prevent the affected software from using potentially spoofed data from the cache. This may have negative performance impact on DNS resolution. This should only be done on systems that are not able apply the security update as a short term workaround. See <a href="http://support.microsoft.com/kb/889189">Microsoft Knowledge Base Article 889189</a> for detailed instructions on how to perform this procedure.<br></p><p>If you suspect that your system has been effected by attempts to exploit this vulnerability, you can clear the web proxy cache to help remove the suspected malicious content. <a href="http://support.microsoft.com/kb/889189">Microsoft Knowledge Base Article 889189</a> provides detailed instructions on how to perform this procedure.</p></td></tr></table></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EBABRAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EBABRAA">Top of section</a></div></div><a name="EAABRAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:2px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l3-EAABRAA\')"><img width="9" height="9" border="0" id="is3l3-EAABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l3-EAABRAA\')"><img width="9" height="9" border="0" id="is3l3-EAABRAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l3-EAABRAA\')" style="text-decoration:none;">');
</script><h5>FAQ for Spoofing Vulnerability - CAN-2004-0892:</h5><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l3-EAABRAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l3-EAABRAA'); }
</script><div class="expandoIndent"><p><b>What is the scope of the vulnerability?</b><br>This is a spoofing vulnerability. This vulnerability could enable an attacker to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site. However, an attacker would first have to persuade a user to visit the attacker’s site to attempt to exploit this vulnerability.</p><p><b>What causes the vulnerability?</b><br>The method that the affected software uses to cache reverse lookup results.</p><p><b>What is a reverse lookup?</b><br>In DNS, a reverse lookup is a query process by which the IP address of a host computer is searched to find its friendly DNS domain name. For more information about reverse lookup, visit the following <a href="http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/sag_DNS_und_ReverseLookup.htm">Web site</a>. </p><p><b>What is wrong with way that the affected products cache reverse lookup results?</b><br>Proxy Server 2.0 and ISA Server 2000 cache the results of a reverse lookup and use that result for a forward (normal) lookup. This approach assumes that the hostname received during the reverse lookup is the valid hostname. The first time a reverse lookup is performed for a particular IP address, an attacker could provide a spoofed reverse lookup response for a domain name that they are not authoritative over. If a user then tries to access the resource by using the domain name that is supplied by the attacker, the user’s request would be routed to the incorrect IP address instead of being serviced by the valid content owner.</p><p><b>What is Proxy Server 2.0?</b><br>Proxy Server 2.0 acts as a gateway to the Internet for client computers. A proxy server generally acts as an intermediary between a private network and the Internet. Proxy Server 2.0 also caches Internet content for internal users to increase performance and to reduce outgoing network bandwidth. </p><p><b>What is ISA Server 2000?</b><br>ISA Server 2000 provides both an enterprise firewall and a high-performance Web cache. The firewall helps protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The Web cache helps improve network performance by storing local copies of frequently-requested Web content. ISA Server can be installed in three modes: firewall mode, cache mode, or integrated mode. <br><br>Firewall mode allows an administrator to secure network communication by configuring rules that control communication between the corporate network and the Internet. Cache mode improves network performance by storing frequently accessed Web pages on the server itself. In integrated mode, all cache and firewall features are available. </p><p><b>What might an attacker use the vulnerability to do?</b><br>An attacker who successfully exploited this vulnerability could spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content such as a malicious Web site. Web sites as well as other types of Internet content could be spoofed if an attacker is successfully able to exploit this vulnerability.</p><p><b>Who could exploit the vulnerability?</b><br>Any anonymous user who could display a specially crafted Web page to a client using the ISA Server 2000 or Proxy Server 2.0 system could attempt to exploit this vulnerability. </p><p>In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content using banner advertisements or other ways to deliver Web content to clients of the ISA Server 2000 or Proxy Server 2.0 system. </p><p>Even if an attacker is able to display the malicious Web content to a client of the ISA Server 2000 or Proxy Server 2.0 system, the attacker would then have to craft the malicious response to the requesting ISA Server 2000 or Proxy Server 2.0 system to spoof the reverse lookup.</p><p><b>Could the vulnerability be exploited over the Internet? </b><br>Yes. An attacker could attempt to exploit this vulnerability over the Internet. </p><p><b>What does the update do?</b><br>The update removes the vulnerability by modifying the way that the affected products cache reverse lookup results.</p><p><b>When this security bulletin was issued, had this vulnerability been publicly disclosed?</b><br>No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.</p><p><b>When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?</b><br>No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued. </p></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EAABRAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EAABRAA">Top of section</a></div></div></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EABRAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EABRAA">Top of section</a></div></div></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EBRAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EBRAA">Top of section</a></div></div><a name="EARAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:6px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l1-EARAA\')"><img width="9" height="9" border="0" id="is3l1-EARAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l1-EARAA\')"><img width="9" height="9" border="0" id="is3l1-EARAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l1-EARAA\')" style="text-decoration:none;">');
</script><h3>Security Update Information</h3><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l1-EARAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l1-EARAA'); }
</script><div class="expandoIndent"><p><b>Installation Platforms and Prerequisites:</b></p><p>For information about the specific security update for your platform, click the appropriate link:</p><a name="EDARAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:2px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l2-EDARAA\')"><img width="9" height="9" border="0" id="is3l2-EDARAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l2-EDARAA\')"><img width="9" height="9" border="0" id="is3l2-EDARAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l2-EDARAA\')" style="text-decoration:none;">');
</script><h4>ISA Server 2000 Service Pack 1, ISA Server 2000 Feature Pack 1, ISA Server 2000 Service Pack 2, Small Business Server 2000, Small Business Server 2000 Service Pack 1, Small Business Server 2003</h4><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l2-EDARAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l2-EDARAA'); }
</script><div class="expandoIndent"><p><b>Prerequisites</b><br>This security update requires ISA Server Service Pack 1 (SP1), ISA Server 2000 Feature Pack 1, or ISA Server 2000 Service Pack 2 (SP2)</p><p><b>Inclusion in Future Service Packs:</b><br>The update for this issue will be included in a future service pack.</p><p><b>Installation Information</b></p><p>This security update supports the following setup switches:</p><p> <b>/help </b>Displays the command line options</p><p><b>Setup Modes</b></p><p> <b>/quiet </b> <b> </b>Quiet mode (no user interaction or display)</p><p> <b>/passive</b> Unattended mode (progress bar only)</p><p><b> /uninstall</b> Uninstalls the package</p><p><b>Restart Options </b></p><p> <b>/norestart</b> Do not restart when installation is complete</p><p> <b>/forcerestart</b> Restart after installation</p><p><b>Special Options </b></p><p> <b>/l</b> Lists installed Windows hotfixes or update packages</p><p> <b>/o</b> Overwrite OEM files without prompting</p><p> <b>/n</b> Do not backup files needed for uninstall</p><p> <b>/f</b> Force other programs to close when the computer shuts down</p><p> <b>/extract</b> Extracts files without starting setup </p><p><b>Note </b>You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see <a href="http://support.microsoft.com/kb/262841">Microsoft Knowledge Base Article 262841</a>.</p><p><b>Deployment Information</b></p><p>To install the security update, use the following command at a command prompt for ISA Server 2000:</p><p><b>Isa2000-kb888258-x86-enu.exe</b></p><p><b>Restart Requirement</b></p><p>This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.</p><p><b>Removal Information</b></p><p>To remove this update, use the Add or Remove Programs tool in Control Panel. Select <b>Security Update for Microsoft ISA Server 2000 (KB 888258),</b> and then click Add/Remove. If you installed this update while using ISA Server 2000 Service Pack 1 or ISA Server 2000 Feature Pack 1 you may uninstall this update. If you install this security update while using ISA Server 2000 Service Pack 1 or ISA Server 2000 Feature Pack 1, then install ISA Server 2000 Service Pack 2, and then uninstall this update, you must reinstall ISA Server 2000 Service Pack 2.</p><p><b>File Information</b></p><p>The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the <b>Time Zone</b> tab in the Date and Time tool in Control Panel.</p><p>ISA Server 2000 Service Pack 1, ISA Server Feature Pack 1, ISA Server 2000 Service Pack 2, Small Business Server 2000, Small Business Server 2000 Service Pack 1, Small Business Server 2003:</p><pre class="codeSample">
Date Time Version Size File name
----------------------------------------------------------
28-Oct-2004 00:32 3.0.1200.408 110,072 Msphlpr.dll
</pre><p><b>Verifying Update Installation </b></p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><b>File Version Verification</b></p><p><b>Note</b> Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.</p><table cellpadding="0" cellspacing="0" border="0" class="numberedList"><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>1.</p></td><td><p>Click <b>Start</b>, and then click <b>Search</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>2.</p></td><td><p>In the <b>Search Results</b> pane, click <b>All files and folders</b> under <b>Search Companion</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>3.</p></td><td><p>In the <b>All or part of the file name </b>box, type a file name from the appropriate file information table, and then click <b>Search</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>4.</p></td><td><p>In the list of files, right-click a file name from the appropriate file information table, and then click <b>Properties</b>. </p><p><b>Note</b> Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>5.</p></td><td><p>On the <b>Version</b> tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.</p><p><b>Note</b> Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.</p></td></tr></table></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><b>Registry Key Verification</b></p><p>You may also be able to verify the files that this security update has installed by reviewing the following registry keys.</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\408</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><b>Alternatively you can follow these steps to verify that the security update has installed:</b></p><table cellpadding="0" cellspacing="0" border="0" class="numberedList"><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>1.</p></td><td><p>Click <b>Start</b>, click <b>Settings</b>, and then click <b>Control Panel</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>2.</p></td><td><p>Double-click <b>Add/Remove Programs</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>3.</p></td><td><p>If Security Update for Microsoft ISA Server 2000 (KB888258) appears in the list, the security update has been successfully installed.</p></td></tr></table></td></tr></table></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EDARAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EDARAA">Top of section</a></div></div><p></p><a name="EBARAA"></a><table cellspacing="0" cellpadding="0" border="0"><tr><td style="padding:2px 6px 0px 0px;"><script type="text/javascript" language="javascript">
if(typeof(IsPrinterFriendly) == "undefined")
document.write('<a href="javascript:Toggle(\'s3l2-EBARAA\')"><img width="9" height="9" border="0" id="is3l2-EBARAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/plus.gif"></a>');
else
document.write('<a href="javascript:Toggle(\'s3l2-EBARAA\')"><img width="9" height="9" border="0" id="is3l2-EBARAA" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/minus.gif"></a>');
</script></td><td class="secLabel"><script type="text/javascript" language="javascript">
document.write('<a href="javascript:Toggle(\'s3l2-EBARAA\')" style="text-decoration:none;">');
</script><h4>Proxy Server 2.0 Service Pack 1</h4><script type="text/javascript" language="javascript">
document.write('</a>');
</script></td></tr></table><div id="s3l2-EBARAA"><script type="text/javascript" language="javascript">
if(document.getElementById && typeof(IsPrinterFriendly) == "undefined"){ Hide('s3l2-EBARAA'); }
</script><div class="expandoIndent"><p><b>Prerequisites</b><br>This security update requires the release version of Proxy Server 2.0 Service Pack 1.</p><p><b>Deployment Information</b></p><p>To install the security update, use the following command at a command prompt:</p><p><b>Proxy20-KB888258-x86-enu.exe</b></p><p><b>Restart Requirement</b></p><p>You must restart your system after you apply this security update.</p><p><b>Removal Information</b></p><p>You can remove the Proxy Server 2.0 Service Pack 1 security update by using the Add/Remove Programs tool in the Control Panel. Select <b>Proxy Server 2.0 Hotfix - KB888258</b>, and then click Add/Remove.</p><p><b>File Information</b></p><p>The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the <b>Time Zone</b> tab in the Date and Time tool in Control Panel.</p><p>Proxy Server 2.0:</p><pre class="codeSample">
Date Time Version Size File name
-----------------------------------------------------
28-Oct-2004 01:18 2.0.390.16 43,280 W3pcache.dll
28-Oct-2004 01:26 2.0.390.16 192,784 W3proxy.dll
28-Oct-2004 01:18 2.0.390.16 97,040 Wspsrv.exe
</pre><p><b>Note</b> The file versions of these files are the same as the Proxy Server 2.0 Server Pack 1 files. You cannot use the files version information to verify successful installation.</p><p><b>Verifying Update Installation </b></p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><b>File Installation Verification</b></p><p><b>Note</b> Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.</p><table cellpadding="0" cellspacing="0" border="0" class="numberedList"><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>1.</p></td><td><p>Click <b>Start</b>, and then click <b>Search</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>2.</p></td><td><p>In the <b>Search Results </b>pane, click <b>All files and folders</b> under <b>Search Companion</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>3.</p></td><td><p>In the <b>All or part of the file name </b>box, type a file name from the appropriate file information table, and then click <b>Search</b>.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>4.</p></td><td><p>In the list of files, right-click a file name from the appropriate file information table, and then click <b>Properties</b>. </p><p><b>Note</b> Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.</p></td></tr><tr valign="top"><td class="listNumber" nowrap="" align="right"><p>5.</p></td><td><p>Determine the created date and time information of the files that are installed on your system and compare it to the date and time information that is documented in the file information table. Make sure to calculate the difference between UTC based date and time information and your local time zone when comparing date and time information.</p><p><b>Note</b> The file versions of these files are the same as the Proxy Server 2.0 Server Pack 1 files. You cannot use the files version to verify successful installation.</p></td></tr></table></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><b>Registry Key Verification</b></p><p>You may also be able to verify the files that this security update has installed by reviewing the following registry keys.</p><p>For Proxy Server 2.0 Service Pack 1</p><p>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\HotFix\KB888258</p></td></tr></table></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EBARAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EBARAA">Top of section</a></div></div><p></p></div><div style="margin-top: 3px; margin-bottom: 10px"><a href="#EARAA"><img width="7" height="9" border="0" src="/library/gallery/templates/MNP2.SecurityBulletin/../MNP2.Common/images/arrow_px_up.gif" alt="Top of section"></a><a class="topOfPage" href="#EARAA">Top of section</a></div></div></div><p><b>Acknowledgments</b></p><p>Microsoft <a href="http://go.microsoft.com/fwlink/?LinkId=21127">thanks</a> the following for working with us to help protect customers:</p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><a href="mailto:martijnv@infosupport.com">Martijn de Vries</a> of Info Support for discovering and <a href="mailto:thomask@infosupport.com">Thomas de Klerk</a> of Info Support for reporting the Spoofing Vulnerability (CAN-2004-0892).</p></td></tr></table><p><b>Obtaining Other Security Updates:</b></p><p>Updates for other security issues are available from the following locations:</p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Security updates are available from the <a href="http://go.microsoft.com/fwlink/?LinkId=21129">Microsoft Download Center</a>. You can find them most easily by doing a keyword search for "security_patch."</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Updates for consumer platforms are available from the <a href="http://go.microsoft.com/fwlink/?LinkId=21130">Windows Update Web site</a>. </p></td></tr></table><p><b>Support: </b></p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Customers in the U.S. and Canada can receive technical support from <a href="http://go.microsoft.com/fwlink/?LinkId=21131">Microsoft Product Support Services</a> at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the <a href="http://go.microsoft.com/fwlink/?LinkId=21155">International Support Web site</a>.</p></td></tr></table><p><b>Security Resources: </b></p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>The <a href="http://go.microsoft.com/fwlink/?LinkId=21132">Microsoft TechNet Security</a> Web site provides additional information about security in Microsoft products. </p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><a href="http://go.microsoft.com/fwlink/?LinkId=21134">Microsoft Baseline Security Analyzer</a> (MBSA) </p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><a href="http://go.microsoft.com/fwlink/?LinkId=21130">Windows Update</a> </p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>Windows Update Catalog: For more information about the Windows Update Catalog, see <a href="http://support.microsoft.com/kb/323166">Microsoft Knowledge Base Article 323166</a>.</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p><a href="http://go.microsoft.com/fwlink/?LinkId=21135">Office Update</a> </p></td></tr></table><p><b>Systems Management Server:</b></p><p>Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the <a href="http://go.microsoft.com/fwlink/?LinkId=22939">SMS 2003 Security Patch Management Web site</a>. SMS 2.0 users can also use <a href="http://go.microsoft.com/fwlink/?LinkId=33340">Software Updates Service Feature Pack</a> to help deploy security updates. For information about SMS, visit the <a href="http://go.microsoft.com/fwlink/?LinkId=21158">SMS Web site</a>.</p><p><b>Note </b>SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, see the following <a href="http://go.microsoft.com/fwlink/?LinkId=33341">Web site</a>. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the <a href="http://go.microsoft.com/fwlink/?LinkId=33387">SMS 2003 Administration Feature Pack</a> and in the <a href="http://go.microsoft.com/fwlink/?LinkId=21161">SMS 2.0 Administration Feature Pack</a>) to install these updates.</p><p><b>Disclaimer: </b></p><p>The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.</p><p><b>Revisions:</b> </p><table cellspacing="0" cellpadding="0" border="0"><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>V1.0 (November 9, 2004): Bulletin published</p></td></tr><tr><td class="listBullet" valign="top">•</td><td class="listItem"><p>V2.0 (November 9, 2004): Bulletin updated to reflect the release of an updated ISA Server 2000 security update for the German language only. This issue does not affect any other language version of this security update.</p></td></tr></table>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed