Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Windows Explorer GUID Remote Code Execution Vulnerability (MS06-045)

Subscribe

Check Point Reference: CPAI-2006-115
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-045
Industry Reference(s): CVE-2006-3281
US-CERT VU#655100
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
VSX
  • NGX
InterSpect
  • NGX
Who is Vulnerable?
Microsoft Windows 2000 SP4
Microsoft Windows XP SP1
Microsoft Windows XP SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 (Itanium)
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 x64 Edition
Vulnerability Description
Microsoft Internet Explorer (IE) contains a remote code execution vulnerability. The application fails to properly handle directories with CLSID extensions. A remote attacker can exploit this vulnerability to execute arbitrary commands on an affected system.
Update/Patch Available
Apply patches :
Microsoft Security Bulletin MS06-045
Microsoft Security Bulletin MS06-042
Vulnerability Details
This vulnerability is due to the way that Microsoft Internet Explorer handles Drag and Drop Events. A remote attacker can exploit this flaw by convincing a user to enter a specially crafted web page or open a malicious e-mail message or HTML file. The attacker must trick the user into executing a malicious file containing the CLSID Key identifier for HTML Applications (HTA). Successful exploitation of the vulnerability may result in arbitrary code execution on the target system.

Protection Overview
The update protects against this vulnerability by blocking specially crafted files and directories. Depending on the traffic mix, activating this protection may result in performance degradation.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on October 11, 2006 includes the following protections: 

Malformed DNS Resource Records Protection (MS06-041) - CPAI-2006-111
Microsoft Internet Explorer Memory Corruption Vulnerabilities (MS06-042) - CPAI-2006-112
Microsoft Windows MHTML Remote Code Execution Vulnerability (MS06-043) - CPAI-2006-113  
Microsoft Management Console Remote Code Execution Vulnerability (MS06-044) - CPAI-2006-114
Windows Explorer GUID Remote Code Execution Vulnerability (MS06-045) - CPAI-2006-115
Microsoft Windows RASMAN Buffer Overflow Vulnerabilities (MS06-025) - CPAI-2006-116
Microsoft Windows MailSlot Buffer Overflow Vulnerabilities (MS06-035) - CPAI-2006-117
Microsoft Internet Explorer (daxctle.ocx) Vulnerabilities (CPAI-2006-118)
CBSMS Mambo Module Remote File Vulnerabilities (CPAI-2006-119)

VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration pane, select

Block Folder GUID Code Execution Vulnerability (MS06-045)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Folder GUID Code Execution Vulnerability (MS06-045)

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections and then click Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration page, select

Block Folder GUID Code Execution Vulnerability (MS06-045)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #99835 will appear on the SmartView Tracker.

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration pane, click

Block Folder GUID Code Execution Vulnerability (MS06-045)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #99835

InterSpect NGX

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration pane, select

Block Folder GUID Code Execution Vulnerability (MS06-045)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Folder GUID Code Execution Vulnerability (MS06-045)

InterSpect 2.0

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections > Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration pane, select

Block Folder GUID Code Execution Vulnerability (MS06-045)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Folder GUID Code Execution Vulnerability (MS06-045)