Microsoft says that the ISA memory leak is triggered by a particular type of malformed H.323 data. The software giant acknowledges that an attacker can incrementally deplete the resources of a server by repeatedly sending the same malformed H.323 data.

In a now-familiar scenario, Microsoft confirms that it’s possible to so deplete the resources of a Windows 2000 server that other services and applications which reside on the same system could be affected, as well. In a worst case scenario, an attacked server could stop responding altogether.

According to Microsoft, the vulnerability only affects ISA servers that have the H.323 service installed and enabled. The software giant says that H.323 is *not* enabled by default when ISA is installed with its “Typical” configuration options. H.323 *is* installed when administrators perform “Full” installations of ISA, however.

Microsoft says that only users on a LAN can exploit the ISA Proxy service vulnerability, however. It’s not possible for an attacker to exploit this vulnerability over the Internet.

The error page that ISA Server returns in response to a malformed submission of this kind contains the malicious script commands that were embedded in the original URL. According to Microsoft, these script commands would execute when the page was displayed in a targeted user’s browser. The software giant says that the script would run in the security domain of the web site referenced in the URL and would also be able to access any cookies which the site has written to the user’s machine.

Microsoft says that exploiting the ISA cross-site scripting vulnerability would amount to a “daunting challenge” because an attacker would have to know which Web sites a targeted user’s Web browser is configured to trust. On the other hand, the software giant allows, it’s possible that an attacker could include a link to an unavailable Web site that she believes an ISA user has reason to trust.

Finally, Microsoft released a long-awaited patch to fix a vulnerability associated with an ActiveX control – dubbed Outlook View Control (OVW) – which Outlook 98, Outlook 2000 and Outlook 2002 leverage as a means to allow mail folders to be viewed as Web pages.

An attacker could exploit this vulnerability by luring an unsuspecting user to a Web page that contains script or HTML which invokes OVW whenever a page is opened in Internet Explorer. She could then take almost any action on an affected user’s machine, including deleting e-mails or executing arbitrary code.

Microsoft initially suggested an administrative work-around for Outlook clients that were affected by this vulnerability, and the software giant says that it is only providing patches for Outlook 2000 and Outlook 2002. Microsoft confirms that no patch is planned for Outlook 98 because it’s no longer supported.