MS09-031: Vulnerability in Microsoft ISA Server 2006 could cause elevation of privilege

This article has been archived. It is offered "as is" and will no longer be updated.
Microsoft has released security bulletin MS09-031. To view the complete security bulletin, visit one of the following Microsoft Web sites:

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:Virus Solution and Security Center

Local support according to your country: International Support


Known issues with this security update

  • If you install this security update after you have customized any of the following .htm files, the update does not replace the customized .htm file:


    To avoid this issue, you must restore the original .htm file, apply the security update, and then customize the updated .htm file.

    For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    955127After you apply hotfix 955151, ISA Server 2006 supports the Secure/MIME feature in Exchange Server 2007
    955122 The logon page does not appear correctly if you select French for the Internet Explorer language when you try to log on to an Outlook Web Access site that is published by using ISA Server 2006
    955112 The Outlook Web Access logon form does not display the "This is a private computer" option when you publish an Outlook Web Access site by using ISA Server 2006 with Service Pack 1
  • An administrator may be able to install the wrong version of this update if it was obtained from the Microsoft Download Center (DC). When this occurs, the update will indicate successful installation. However, the relevant binaries will not be updated to the updated versions. This issue may occur because of a problem in the installer detection logic that does not correctly determine the installed product revision. This issue will not occur if the computer is updated by using Microsoft Update, Automatic updates, Microsoft Windows Server Update Services (WSUS), or Microsoft Systems Management Server (SMS).
    ISA Server 2006 RevisionUpdate TargetInstall StateUpdate State
    SUFailureNot Updated
    SP1FailureNot Updated
    Supportability Update (SU)RTMSuccessNot Updated
    SP1FailureNot Updated
    Service Pack 1 (SP1)RTMSuccessNot Updated
    SUSuccessNot Updated

Additional information about this security update

For more information about this security update, including file information and information about any known issues with specific releases of this software, click the following article numbers to view the articles in the Microsoft Knowledge Base:
970811 Description of the security update for Microsoft ISA Server 2006: July 14, 2009
971143 Description of the ISA Server 2006 hotfix package: July 14, 2009
update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE WinNT Win2000

Article ID: 970953 - Last Review: 01/16/2015 03:57:04 - Revision: 4.0

  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • kbnosurvey kbarchive atdownload kbbug kbexpertiseinter kbfix kbsecbulletin kbsecurity kbsecvulnerability kbsurveynew KB970953