Microsoft has issued Service Pack 2 for ISA Server 2000. This includes patches for all previously reported vulnerabilities as well as older hot fixes, where some address potential security issues.

1) ICMP traffic is not blocked by the ISA Server 2000 while starting up, even though it has been restricted in the firewall policies. This allows malicious people to detect the presence of the system during a short period of time.

2) In certain cases, basic credentials may be sent over external HTTP connections even though this has been configured as SSL required. This may potentially disclose sensitive information to certain people, who are able to intercept the traffic.

3) The web proxy service may crash during the processing of HTTP redirect actions, when a content rule denies access.

4) Certain site and content rules can be bypassed when access to specific destinations are denied due to a canonicalization error. The problem is that a rule may not apply if a user requests an URL with a period (.) appended to the end.

Example:
http://www.restricted_site.com.

5) Under certain circumstances, a malformed SSL packet may crash the web proxy when "web publishing" a SSL web site.

Solution
Apply Service Pack 2.
Further details available in Customer Area

Provided and/or discovered by
Reported by vendor.

Original Advisory
ISA Server 2000 Service Pack 2 Release Notes:
http://support.microsoft.com/default.aspx?kbid=816460

Deep Links
Links available in Customer Area