Reported April 16, 2001, by Microsoft.

VERSION AFFECTED

·         Microsoft Internet Security and Acceleration (ISA) Server 2000

 

DESCRIPTION

When using Web publishing to bridge HTTP traffic to a Web server, a malicious attacker can use an invalid Web request containing a certain malformed argument to cause an access violation in the Web proxy service, denying service for legitimate traffic. Microsoft disables this service by default.

 

VENDOR RESPONSE

 

Microsoft has issued security bulletin MS01-021 to address this vulnerability and has also issued a hotfix that enables ISA’s Web proxy service to correctly treat this request as invalid.

 

CREDIT

Discovered by Dr. Richard Reiner, Graham Wiseman, Matthew Siemens, and Kent Nicolson of SecureXpert Labs, a division of FSC Internet Corporation.