Forefront TMG (ISA Server) Product Team Blog : Blocking VML with ISA 2004 & ISA 2006

Blocking VML with ISA 2004 & ISA 2006

http://www.microsoft.com/technet/security/advisory/925568.mspx discusses a vulnerability in the VML parsing dll which can result in an unpleasant experience.

http://www.microsoft.com/technet/isa/2006/how-to-block-vml.mspx discusses a methodology by which you can use ISA 2004 or ISA 2006 to block HTTP-based attacks targeted against this vulnerability.

Finally, http://isatools.org/block_vml.vbs automates the process of creating the proper HTTP Filter settings for you.

Tim's report was accurate (see my comments). I've updated the script to version 1.2 and reposted it. Many thanx to Tim for his discovery.

Thank you,

Jim Harrison (ISA Sustained Engineering)

Published Monday, September 25, 2006 8:07 PM by isablog

Comments

# re: Blocking VML with ISA 2004 & ISA 2006

I've just re-downloaded the script from the IsaTools.org link above to verify and in fact I did paste the wrong code snippet into my blog entry (now corrected, apologies for the confusion). The content was substantially correct and the addition of parenthesis was my first stab at troubleshooting the script.

I understand and support the statement that people should only use the "official" script - the changes I made are documented in my blog entry for anyone who wants to do likewise.

Monday, September 25, 2006 4:15 PM by Tim Long

# re: Blocking VML with ISA 2004 & ISA 2006

UPDATE

Tim's report uncovered an odditiy in VBScript processing of the 'and' test. changing the script to a 'nested if' fixed the problem.

..I like JScript soooo much better...

Monday, September 25, 2006 5:27 PM by isablog

# Blog du Tristank : ISA Server Product Team Blog : Blocking VML with ISA 2004 & ISA 2006

PingBack from http://blogs.technet.com/tristank/archive/2006/09/26/459024.aspx

Tuesday, September 26, 2006 3:31 AM by Blog du Tristank : ISA Server Product Team Blog : Blocking VML with ISA 2004 & ISA 2006

# Hur man blockerar VML-vulnen med ISA Server

Hej på er,
Som ett avbrott i byggandet, ISA Teamet har postat i sin blog hur man gör för att skydda...

Tuesday, September 26, 2006 5:05 AM by Michael Anderberg, CISSP - Microsoft AB

# Hot to block the VML exploit using ISA

The ISA product team blog has details and links to instructions on how to configure ISA 200x to block...

Tuesday, September 26, 2006 7:14 AM by AlunR

# re: Blocking VML with ISA 2004 & ISA 2006

Just installed in a test environment and had one problme on ISA 2006. It broke rpc/https publishing. I had to uncheck the filters to make it work.

Tuesday, September 26, 2006 8:45 AM by Donald

Anonymous comments are disabled

Forefront TMG (ISA Server) Product Team Blog

This Blog

Syndication

Search

Tags

Archives

Related Blogs

Blocking VML with ISA 2004 & ISA 2006

Comments

# re: Blocking VML with ISA 2004 & ISA 2006

# re: Blocking VML with ISA 2004 & ISA 2006

# Blog du Tristank : ISA Server Product Team Blog : Blocking VML with ISA 2004 & ISA 2006

# Hur man blockerar VML-vulnen med ISA Server

# Hot to block the VML exploit using ISA

# re: Blocking VML with ISA 2004 & ISA 2006

Forefront TMG (ISA Server) Product Team Blog

This Blog

Syndication

Search

Tags

Archives

Related Blogs

Blocking VML with ISA 2004 & ISA 2006

Comments

# re: Blocking VML with ISA 2004 & ISA 2006

# re: Blocking VML with ISA 2004 & ISA 2006

# Blog du Tristank : ISA Server Product Team Blog : Blocking VML with ISA 2004 &amp; ISA 2006

# Hur man blockerar VML-vulnen med ISA Server

# Hot to block the VML exploit using ISA

# re: Blocking VML with ISA 2004 & ISA 2006

# Blog du Tristank : ISA Server Product Team Blog : Blocking VML with ISA 2004 & ISA 2006