The Internet Security and Acceleration Server is Microsoft's first true security product, and it was meant to mark the beginning of a serious company-wide push into the security market.
The DoS vulnerability is caused by the way the server's Web Proxy service handles long Web requests. If an attacker sent a series of specially formatted commands to a server running ISA 1.0, Service Pack 1 on Windows 2000, the proxy service would fail, thereby denying all incoming and outgoing proxy requests.
If the server is configured to the Web Publishing service, which is used to publish Web content outside the network, the attack could be launched remotely.
However, the vulnerability does not give the attacker access to the network or enable him or her to execute any other attacks, Microsoft said.
Although the attack fails to breach the security of the firewall, the disclosure comes at an inopportune time for the Redmond, Wash., software company. At the RSA Security show last week in San Francisco, Microsoft officials outlined a series of internal company programs and product initiatives that are designed to buff up what has been a spotty reputation in the security community.
Among the new efforts is an internal education program meant to help software engineers keep security in mind during the programming phase, so as to avoid the disclosure of vulnerabilities after a product's release.
An excellent response from Microsoft. I am pleased to see that the company that wants to store and manage all my digital information, from bank account details to logins and passwords, has decided to educate its "software engineers" (programmers) to "keep security in mind".
And the purpose? To "avoid the disclosure of vulnerabilities after a product's release". Geez, and I thought security was their first priority.
Perhaps a better idea would be to have better design of their programs, not just have security as an after thought.