Last July 8th Microsoft released the security update MS08-039 for OWA, the following Exchange versions are affected:
Maximum Security Impact
Aggregate Severity Rating
Bulletins Replaced by this Update
Microsoft Exchange Server 2003 Service Pack 2
Elevation of Privilege
None (See Update FAQ for additional details)
Microsoft Exchange Server 2007
Microsoft Exchange Server 2007 Service Pack 1
If you question is: can ISA Server 2006 help to mitigate this attack? The answer is that it potentially can since ISA Server 2006 can block cross site scripting by inspecting the HTTP requests and identifying commands and tags that are common in server responses but are not common in client requests. For more information about this review on ISA Server TechNet Library the problem and the solution.
Note: While this can help to prevent this vulnerability, it is still STRONGLY RECOMMEND applying this update in the Exchange Servers since the attack could be exploited from an internal resource bypassing ISA.