Microsoft Security Bulletin MS04-039

Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)

Issued: November 9, 2004
Updated: November 9, 2004
Version: 2.0

Summary

Who should read this document: Customers who use Microsoft Proxy Server 2.0 or Microsoft Internet Security and Acceleration (ISA) Server 2000

Impact of Vulnerability:  Spoofing

Maximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest opportunity.

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Proxy Server 2.0 Service Pack 1– Download the update

Microsoft Internet Security and Acceleration Server 2000 Service Pack 1 and Microsoft Internet Security and Acceleration Server 2000 Service Pack 2 – Download the update

Note The following software programs include Microsoft Internet Security and Acceleration Server 2000 (ISA Server 2000). Customers using these software programs should install the provided ISA Server 2000 security update.

Microsoft Small Business Server 2000

Microsoft Small Business Server 2003 Premium Edition

Non-Affected Software:

Microsoft Internet Security and Acceleration (ISA) Server 2004

The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

Top of sectionTop of section

General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability. The vulnerability is documented in the Vulnerability Details section of this bulletin. This vulnerability could enable an attacker to spoof trusted Internet content.

We recommend that customers install the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:

Vulnerability IdentifiersImpact of VulnerabilityISA Server 2000Proxy Server 2.0

Spoofing Vulnerability - CAN-2004-0892

Spoofing

Important

Important

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Top of sectionTop of section

Frequently asked questions (FAQ) related to this security update

Why was this security bulletin updated on November 9, 2004?
After the release of the MS04-039 security bulletin, Microsoft became aware of an issue affecting ISA Server 2000 customers deploying the German language version of the security update. The originally released version of the ISA Server 2000 German language security update required ISA Server 2000 Service Pack 2. The updated version of the ISA Server 2000 German language security update can be installed on ISA Server 2000 systems using ISA Server 2000 Service Pack 1 or ISA Server 2000 Service Pack 2. This issue only affected the German language version of the security update. The original version of this security update did protect against the vulnerability described in this security bulletin. Customers using the German language version of ISA Server 2000 Service Pack 2 who successfully installed the originally released security update do not need to take any action.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
No. MBSA does not currently support the detection of the affected products. For detailed information about the programs that MBSA currently does not detect, see Microsoft Knowledge Base Article 306460. If you have installed any of the programs that are listed in the Affected Software section of this security bulletin, you may have to manually install the required update. For more information about MBSA, visit the MBSA Web site.

Can I use Systems Management Server (SMS) to determine if this update is required?
Yes. SMS can help detect and deploy this security update. SMS uses MBSA for detection; therefore, SMS has the same limitation listed earlier in this bulletin related to programs that MBSA does not detect. Although SMS cannot detect the affected software using MBSA, administrators can use SMS to find the affected files and update them. You can also deploy this update using the Inventory and Software Distribution feature of SMS. For information about SMS, visit the SMS Web site.

Can I use SMS to determine if programs are installed that have to be updated?
Yes. SMS can help detect if there are programs installed that may have installed a version of the vulnerable component. For ISA Server 2000, SMS can search for the existence of the Msphlpr.dll file. Update all versions of the Msphlpr.dll file that are earlier than version 3.0.1200.408. For Proxy Server 2.0 Service Pack 1, review the file information in the Proxy Server 2.0 Service Pack 1 Security Update Information section of this security bulletin for complete file information details.

Top of sectionTop of section

Vulnerability Details

Spoofing Vulnerability - CAN-2004-0892:

This is a spoofing vulnerability that exists in the affected products and that could enable an attacker to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site. However, an attacker would first have to persuade a user to visit the attacker’s site to attempt to exploit this vulnerability.

Mitigating Factors for Spoofing Vulnerability - CAN-2004-0892:

This vulnerability would not allow an attacker to spoof an SSL certificate. An attacker would not be able to successfully use SSL certificates that belong to other domain names. For example, a spoofed Web site cannot use a trusted Web site’s SSL certificate to establish an SSL session with a user. If a spoofed Web site tries to do this, authentication fails and the user receives a warning message.

An attacker would first have to persuade a user view content that causes a reverse lookup to occur. For example, an attacker could persuade a user to visit the attacker’s Web site by using an IP address that would cause a reverse lookup to occur.

Systems that enable the default Site and Content rule permitting “All traffic” to “All Destinations” are not affected by this vulnerability. However this rule is generally disabled as a security best practice guideline and we do not recommend enabling to help mitigate this issue vulnerability.

Workarounds for Spoofing Vulnerability - CAN-2004-0892:

Set the DNS Cache size to zero on the affected software.
Setting the DNS Cache size to zero effectively disables DNS caching on the affected system. This would prevent the affected software from using potentially spoofed data from the cache. This may have negative performance impact on DNS resolution. This should only be done on systems that are not able apply the security update as a short term workaround. See Microsoft Knowledge Base Article 889189 for detailed instructions on how to perform this procedure.

If you suspect that your system has been effected by attempts to exploit this vulnerability, you can clear the web proxy cache to help remove the suspected malicious content. Microsoft Knowledge Base Article 889189 provides detailed instructions on how to perform this procedure.

FAQ for Spoofing Vulnerability - CAN-2004-0892:

What is the scope of the vulnerability?
This is a spoofing vulnerability. This vulnerability could enable an attacker to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious Web site. However, an attacker would first have to persuade a user to visit the attacker’s site to attempt to exploit this vulnerability.

What causes the vulnerability?
The method that the affected software uses to cache reverse lookup results.

What is a reverse lookup?
In DNS, a reverse lookup is a query process by which the IP address of a host computer is searched to find its friendly DNS domain name. For more information about reverse lookup, visit the following Web site.

What is wrong with way that the affected products cache reverse lookup results?
Proxy Server 2.0 and ISA Server 2000 cache the results of a reverse lookup and use that result for a forward (normal) lookup. This approach assumes that the hostname received during the reverse lookup is the valid hostname. The first time a reverse lookup is performed for a particular IP address, an attacker could provide a spoofed reverse lookup response for a domain name that they are not authoritative over. If a user then tries to access the resource by using the domain name that is supplied by the attacker, the user’s request would be routed to the incorrect IP address instead of being serviced by the valid content owner.

What is Proxy Server 2.0?
Proxy Server 2.0 acts as a gateway to the Internet for client computers. A proxy server generally acts as an intermediary between a private network and the Internet. Proxy Server 2.0 also caches Internet content for internal users to increase performance and to reduce outgoing network bandwidth.

What is ISA Server 2000?
ISA Server 2000 provides both an enterprise firewall and a high-performance Web cache. The firewall helps protects the network by regulating which resources can be accessed through the firewall, and under what conditions. The Web cache helps improve network performance by storing local copies of frequently-requested Web content. ISA Server can be installed in three modes: firewall mode, cache mode, or integrated mode.

Firewall mode allows an administrator to secure network communication by configuring rules that control communication between the corporate network and the Internet. Cache mode improves network performance by storing frequently accessed Web pages on the server itself. In integrated mode, all cache and firewall features are available.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content such as a malicious Web site. Web sites as well as other types of Internet content could be spoofed if an attacker is successfully able to exploit this vulnerability.

Who could exploit the vulnerability?
Any anonymous user who could display a specially crafted Web page to a client using the ISA Server 2000 or Proxy Server 2.0 system could attempt to exploit this vulnerability.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content using banner advertisements or other ways to deliver Web content to clients of the ISA Server 2000 or Proxy Server 2.0 system.

Even if an attacker is able to display the malicious Web content to a client of the ISA Server 2000 or Proxy Server 2.0 system, the attacker would then have to craft the malicious response to the requesting ISA Server 2000 or Proxy Server 2.0 system to spoof the reverse lookup.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could attempt to exploit this vulnerability over the Internet.

What does the update do?
The update removes the vulnerability by modifying the way that the affected products cache reverse lookup results.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Top of sectionTop of section
Top of sectionTop of section

Security Update Information

Installation Platforms and Prerequisites:

For information about the specific security update for your platform, click the appropriate link:

ISA Server 2000 Service Pack 1, ISA Server 2000 Feature Pack 1, ISA Server 2000 Service Pack 2, Small Business Server 2000, Small Business Server 2000 Service Pack 1, Small Business Server 2003

Prerequisites
This security update requires ISA Server Service Pack 1 (SP1), ISA Server 2000 Feature Pack 1, or ISA Server 2000 Service Pack 2 (SP2)

Inclusion in Future Service Packs:
The update for this issue will be included in a future service pack.

Installation Information

This security update supports the following setup switches:

      /help                 Displays the command line options

Setup Modes

      /quiet                Quiet mode (no user interaction or display)

      /passive            Unattended mode (progress bar only)

      /uninstall          Uninstalls the package

Restart Options

      /norestart          Do not restart when installation is complete

      /forcerestart      Restart after installation

Special Options

      /l                        Lists installed Windows hotfixes or update packages

      /o                       Overwrite OEM files without prompting

      /n                       Do not backup files needed for uninstall

      /f                        Force other programs to close when the computer shuts down

      /extract             Extracts files without starting setup

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the previous version of the setup utility uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.

Deployment Information

To install the security update, use the following command at a command prompt for ISA Server 2000:

Isa2000-kb888258-x86-enu.exe

Restart Requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a restart. If this occurs, a message appears that advises you to restart.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel. Select Security Update for Microsoft ISA Server 2000 (KB 888258), and then click Add/Remove. If you installed this update while using ISA Server 2000 Service Pack 1 or ISA Server 2000 Feature Pack 1 you may uninstall this update. If you install this security update while using ISA Server 2000 Service Pack 1 or ISA Server 2000 Feature Pack 1, then install ISA Server 2000 Service Pack 2, and then uninstall this update, you must reinstall ISA Server 2000 Service Pack 2.

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

ISA Server 2000 Service Pack 1, ISA Server Feature Pack 1, ISA Server 2000 Service Pack 2, Small Business Server 2000, Small Business Server 2000 Service Pack 1, Small Business Server 2003:

Date         Time   Version        Size       File name   
----------------------------------------------------------
28-Oct-2004  00:32  3.0.1200.408   110,072    Msphlpr.dll

Verifying Update Installation

File Version Verification

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1.

Click Start, and then click Search.

2.

In the Search Results pane, click All files and folders under Search Companion.

3.

In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.

4.

In the list of files, right-click a file name from the appropriate file information table, and then click Properties.

Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.

5.

On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.

Note Attributes other than file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying the update installation. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.

Registry Key Verification

You may also be able to verify the files that this security update has installed by reviewing the following registry keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\408

Alternatively you can follow these steps to verify that the security update has installed:

1.

Click Start, click Settings, and then click Control Panel.

2.

Double-click Add/Remove Programs.

3.

If Security Update for Microsoft ISA Server 2000 (KB888258) appears in the list, the security update has been successfully installed.

Top of sectionTop of section

Proxy Server 2.0 Service Pack 1

Prerequisites
This security update requires the release version of Proxy Server 2.0 Service Pack 1.

Deployment Information

To install the security update, use the following command at a command prompt:

Proxy20-KB888258-x86-enu.exe

Restart Requirement

You must restart your system after you apply this security update.

Removal Information

You can remove the Proxy Server 2.0 Service Pack 1 security update by using the Add/Remove Programs tool in the Control Panel. Select Proxy Server 2.0 Hotfix - KB888258, and then click Add/Remove.

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Proxy Server 2.0:

Date         Time   Version     Size     File name
-----------------------------------------------------
28-Oct-2004  01:18  2.0.390.16   43,280  W3pcache.dll
28-Oct-2004  01:26  2.0.390.16  192,784  W3proxy.dll
28-Oct-2004  01:18  2.0.390.16   97,040  Wspsrv.exe

Note The file versions of these files are the same as the Proxy Server 2.0 Server Pack 1 files. You cannot use the files version information to verify successful installation.

Verifying Update Installation

File Installation Verification

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1.

Click Start, and then click Search.

2.

In the Search Results pane, click All files and folders under Search Companion.

3.

In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.

4.

In the list of files, right-click a file name from the appropriate file information table, and then click Properties.

Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.

5.

Determine the created date and time information of the files that are installed on your system and compare it to the date and time information that is documented in the file information table. Make sure to calculate the difference between UTC based date and time information and your local time zone when comparing date and time information.

Note The file versions of these files are the same as the Proxy Server 2.0 Server Pack 1 files. You cannot use the files version to verify successful installation.

Registry Key Verification

You may also be able to verify the files that this security update has installed by reviewing the following registry keys.

For Proxy Server 2.0 Service Pack 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\HotFix\KB888258

Top of sectionTop of section

Top of sectionTop of section

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Martijn de Vries of Info Support for discovering and Thomas de Klerk of Info Support for reporting the Spoofing Vulnerability (CAN-2004-0892).

Obtaining Other Security Updates:

Updates for other security issues are available from the following locations:

Security updates are available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."

Updates for consumer platforms are available from the Windows Update Web site.

Support:

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Microsoft Baseline Security Analyzer (MBSA)

Windows Update 

Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.

Office Update 

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, see the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions: 

V1.0 (November 9, 2004): Bulletin published

V2.0 (November 9, 2004): Bulletin updated to reflect the release of an updated ISA Server 2000 security update for the German language only. This issue does not affect any other language version of this security update.