Technical Information

Brief overview of the risk:
This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.
Detailed Information on the risk:

An elevation of privilege vulnerability exists in ISA Server 2006 authentication when configured with Radius OTP. The vulnerability could allow an unauthenticated user access to any Web published resource. With knowledge of administrator account usernames, an attacker who successfully exploited this vulnerability could take complete control of systems relying on the ISA Server 2006 Web publishing rules for authentication. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Further information on this exploit is available at : MS09-031