Preemptive Protection against Microsoft Windows Animated Cursor Remote Code Execution Vulnerability (MS07-017)
| Check Point Reference: | CPAI-2007-040 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS07-017 | |
| Industry Reference(s): |
CVE-2007-0038 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional x64 Edition SP2 Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 (Itanium) Microsoft Windows Server 2003 SP1 (Itanium) Microsoft Windows Server 2003 SP2 (Itanium) Microsoft Windows Server 2003 x64 Edition Microsoft Windows Server 2003 x64 Edition SP2 Windows Vista Windows Vista x64 Edition | ||
| Vulnerability Description A remote code execution vulnerability has been reported in the animated cursor code in Microsoft Windows. A remote attacker can exploit this vulnerability via a specially crafted ANI file. Animated cursors files (ANI) allow a series of frames to appear at the mouse pointer location instead of a single image (animated mouse pointer). Successful exploitation allows execution of arbitrary code on a vulnerable system. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS07-017 |
|
|
Vulnerability Details The vulnerability is due to an error in Microsoft Windows that fails to properly handle malformed animated cursor files. A remote attacker could trigger this flaw via a specially crafted ANI file. By convincing a user to visit a specially crafted HTML documents or open a malicious web page, a remote attacker could cause a denial of service condition or execute arbitrary code on an affected system. Successful exploitation allows remote code execution once a malformed ANI file is being processed on the vulnerable system. |
Protection Overview
By enabling this protection, SmartDefense will detect and block the transferring of malformed ANI files over HTTP. No update is required to address this vulnerability.
Please note that a similar issue was addressed in CPAI-2005-06.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Content Protection.
2. Select the following:
Malformed ANI File
3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: ANI Content Protection Violation
Attack Information: Malformed ANI File
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection.
2. Select the following:
Malformed ANI File
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: ANI Content Protection Violation
Attack Information: Malformed ANI File
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection.
2. Select the following:
Malformed ANI File
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99801 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection.
2. Select the following:
Malformed ANI File
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99801 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer vulnerabilities.
3. Select the following pattern:
Malformed ANI File
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: ANI Content Protection Violation
Attack Information: Malformed ANI File
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections > Microsoft Internet Explorer vulnerabilities.
2. Select the following pattern:
Malformed ANI File
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: ANI Content Protection Violation
Attack Information: Malformed ANI File