Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Indexing Service Cross-Site Scripting Vulnerability (MS06-053)

Subscribe

Check Point Reference: CPAI-2006-110
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-053
Industry Reference(s): CVE-2006-0032
FrSIRT/ADV-2006-3564
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Connectra
  • NGX R61
Who is Vulnerable?
Microsoft Windows 2000 SP4
Microsoft Windows XP SP1
Microsoft Windows XP SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003 (Itanium)
Microsoft Windows Server 2003 SP1 (Itanium)
Microsoft Windows Server 2003 x64 Edition
Vulnerability Description
A cross-site scripting (XSS) vulnerability exists in Microsoft Windows Indexing Service. Indexing Service is a feature that supports rapid searching of file contents and properties by extracting information from files and storing it in indexes organized for fast searching. A remote attacker can exploit this vulnerability to execute arbitrary commands on an affected system.

Note: This vulnerability puts at risk only users of systems that have IIS and Indexing Service installed and that enabled the Indexing Service to be accessible from IIS via a web-based interface.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-053
Vulnerability Details
This cross-site scripting vulnerability is due to an input validation error in Microsoft Windows Indexing Service. A remote attacker can exploit this issue by convincing a user to click on a maliciously crafted URL leading to a Web server running Internet Information Services (IIS) and Index Server. The attacker can exploit this issue to take control over the victim's session by using a UTF-7 encoded script embedded in the URL that the user clicked on. Successful exploitation of the vulnerability may result in arbitrary code execution on the target system.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on pre-defined worm signatures.

In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R61 ,R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following pattern:

Indexing Service XSS Vulnerability (MS06-053)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Indexing Service XSS Vulnerability (MS06-053)

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following pattern:

Indexing Service XSS Vulnerability (MS06-053)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Indexing Service XSS Vulnerability (MS06-053)

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following pattern:

Indexing Service XSS Vulnerability (MS06-053)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Indexing Service XSS Vulnerability (MS06-053)

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

Indexing Service XSS Vulnerability (MS06-053)

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Indexing Service XSS Vulnerability (MS06-053)

InterSpect 2.0

How Can I Protect My Network?
1. In the SmartDefense tree, click Web > General HTTP Worm Defender.
2. Enable the following pattern:

Indexing Service XSS Vulnerability (MS06-053)

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Indexing Service XSS Vulnerability (MS06-053)

Connectra NGX R61

How Can I Protect My Network?
1. In the navigation tree, click Web Intelligence. In the Malicious Code Protection pane click General HTTP Worm Catcher.
2. Enable the following patterns:

Indexing Service XSS Vulnerability (MS06-053)

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: HTTP Worm Catcher
Attack Information: Indexing Service XSS Vulnerability (MS06-053)