http://www.microsoft.com/technet/security/advisory/925568.mspx discusses a vulnerability in the VML parsing dll which can result in an unpleasant experience.
http://www.microsoft.com/technet/isa/2006/how-to-block-vml.mspx discusses a methodology by which you can use ISA 2004 or ISA 2006 to block HTTP-based attacks targeted against this vulnerability.
Finally, http://isatools.org/block_vml.vbs automates the process of creating the proper HTTP Filter settings for you.
Tim's report was accurate (see my comments). I've updated the script to version 1.2 and reposted it. Many thanx to Tim for his discovery.
Jim Harrison (ISA Sustained Engineering)
I've just re-downloaded the script from the IsaTools.org link above to verify and in fact I did paste the wrong code snippet into my blog entry (now corrected, apologies for the confusion). The content was substantially correct and the addition of parenthesis was my first stab at troubleshooting the script.
I understand and support the statement that people should only use the "official" script - the changes I made are documented in my blog entry for anyone who wants to do likewise.
Tim's report uncovered an odditiy in VBScript processing of the 'and' test. changing the script to a 'nested if' fixed the problem.
..I like JScript soooo much better...
PingBack from http://blogs.technet.com/tristank/archive/2006/09/26/459024.aspx
Hej på er,
Som ett avbrott i byggandet, ISA Teamet har postat i sin blog hur man gör för att skydda...
The ISA product team blog has details and links to instructions on how to configure ISA 200x to block...
Just installed in a test environment and had one problme on ISA 2006. It broke rpc/https publishing. I had to uncheck the filters to make it work.
Hello! Very interesting. Thank you.