MS09-031: Vulnerability in Microsoft ISA Server 2006 could cause elevation of privilege

Microsoft has released security bulletin MS09-031. To view the complete security bulletin, visit one of the following Microsoft Web sites:

• Home users:
  http://www.microsoft.com/protect/computer/updates/bulletins/200907.mspx
  Skip the details: Download the updates for your home computer or laptop from the Microsoft Update Web site now:
  http://update.microsoft.com/microsoftupdate/
• IT professionals:
  http://www.microsoft.com/technet/security/bulletin/MS09-031.mspx

How to obtain help and support for this security update

For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support Web site: North American customers can also obtain instant access to unlimited no-charge e-mail support or to unlimited individual chat support by visiting the following Microsoft Web site: For enterprise customers, support for security updates is available through your usual support contacts.

Known issues with this security update

• If you install this security update after you have customized any of the following .htm files, the update does not replace the customized .htm file:
  
  Usr_pcode.htm
  Usr_pwd.htm
  Logout_smimecap.htm
  
  To avoid this issue, you must restore the original .htm file, apply the security update, and then customize the updated .htm file.
  
  For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
  955127� After you apply hotfix 955151, ISA Server 2006 supports the Secure/MIME feature in Exchange Server 2007
  955122� The logon page does not appear correctly if you select French for the Internet Explorer language when you try to log on to an Outlook Web Access site that is published by using ISA Server 2006
  955112� The Outlook Web Access logon form does not display the "This is a private computer" option when you publish an Outlook Web Access site by using ISA Server 2006 with Service Pack 1
• An administrator may be able to install the wrong version of this update if it was obtained from the Microsoft Download Center (DC). When this occurs, the update will indicate successful installation. However, the relevant binaries will not be updated to the updated versions. This issue may occur because of a problem in the installer detection logic that does not correctly determine the installed product revision. This issue will not occur if the computer is updated by using Microsoft Update, Automatic updates, Microsoft Windows Server Update Services (WSUS), or Microsoft Systems Management Server (SMS).
  Collapse this tableExpand this table

  ISA Server 2006 Revision	Update Target	Install State	Update State
  RTM	RTM	Success	Updated
  	SU	Failure	Not Updated
  	SP1	Failure	Not Updated
  Supportability Update (SU)	RTM	Success	Not Updated
  	SU	Success	Updated
  	SP1	Failure	Not Updated
  Service Pack 1 (SP1)	RTM	Success	Not Updated
  	SU	Success	Not Updated
  	SP1	Success	Updated

Additional information about this security update

For more information about this security update, including file information and information about any known issues with specific releases of this software, click the following article numbers to view the articles in the Microsoft Knowledge Base: