Update Protection against ART Image Rendering Vulnerability (MS06-022)
| Check Point Reference: | CPAI-2006-080 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS06-022 | |
| Industry Reference(s): | CVE-2006-2378 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows XP SP1,SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition | ||
| Vulnerability Description A vulnerability has been identified in the way Microsoft Windows handles malformed .art images. An attacker could execute arbitrary commands with a carefully crafted .art file hosted on a malicious Web site or in an HTML email message. |
||
|
Update/Patch Available Microsoft has released patches: http://www.microsoft.com/technet/security/Bulletin/MS06-022.mspx |
|
|
Vulnerability Details The vulnerability specifically exists due to improper parsing of a malformed .art file during rendering. With a specially crafted .art file, it is possible to create a buffer overflow condition and potentially take complete control of an affected system. |
Protection Overview
The protection detects ART files over the configured HTTP ports and blocks the connection when it detects these files.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on July 5, 2006 includes the follwoing protections:
Malformed SSH Init Message Protection (CPAI-2006-069)
Multiple IMAP Servers Directory Traversal Protection (CPAI-2006-070)
VNC Authentication Bypass Protection (CPAI-2006-071)
COM Object Instantiation Protection (MS06-013) - CPAI-2006-072
COM Object Instantiation Memory Corruption Vulnerability (MS06-021) - CPAI-2006-073
Microsoft JScript Remote Code Execution Protection (MS06-023) - CPAI-2006-074
Symantec Sygate SQL Injection Protection (CPAI-2006-075)
Horde Help Viewer Protection (CPAI-2006-076)
Virtual War (VWar) File Inclusion Protection (CPAI-2006-077)
AWStats Remote Command Execution Protection - CPAI-2006-078
Windows Media Player PNG Protection (MS06-024) - CPAI-2006-079
ART Image Rendering Protection (MS06-022) - CPAI-2006-080
MySQL Server str_to_date DoS Protection (CPAI-2006-081)
Enhanced Protection against AWStats "migrate" Shell Command Injection (CPAI-2006-053)
Additional Logs added to the FTP patterns engine (CPAI-2006-040)
VPN-1 NGX R61
How Can I Protect My Network?
1. Update SmartDefense: Click the SmartDefense Services tab, click Download Updates and then click the Online Update button.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Block ART Files. 
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Content Protection Violation
Attack Information: ART file blocked
VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. On the SmartDefense tree, click Application Intelligence > Content Protection > Block ART Files.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Content Protection Violation
Attack Information: ART file blocked
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. Update SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Block ART Files.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule 99818 indicating that an ART file has been blocked.
VPN-1 VSX NGX
How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Block ART Files.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99818 will be logged in the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. Update SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
3. In the SmartDefense tree, click Application Intelligence > Content Protection > Block ART Files and check the Block ART Files check box on the opposite screen. 
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Contect Protection Violation
Attack Information: ART File Blocked
InterSpect 2.0
How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Block ART Files and check the Block ART Files check box on the opposite screen.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Content Protection Violation
Attack Information: ART File Blocked