I wanted to provide an update the last post as it appears there has been some confusion around the affected components and releases. The potential threats due to this vulnerability are discussed specifically in Microsoft Security Advisory (973472). The reason ISA Server 2000 and Forefront TMG are both included in the vulnerable products list are due to the installation of OWC as part of the report generation functionality. However, both ISA Server 2000 and Forefront TMG themselves are not subject to attack through the vulnerability described. We recommend that the mitigation methods offered by the security advisory be employed to prevent attack on the ISA Server or TMG server when browsing from the server itself to a malicious web site. To recap:
ISA Server 2000 and Forefront TMG are included in the list of vulnerable products list due to the installation of OWC as part of the report generation functionality.
ISA Server 2000 and Forefront TMG report generation and report viewing are not subject to direct attack through this vulnerability.
I apologize if there was any confusion in the previous blog post. We always strive for expediency and transparency and as much detail whenever possible.
David B. Cross
Product Unit Manager