Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Office Web Components Multiple ActiveX Controls Remote Code Execution Vulnerability (MS09-043)

Subscribe

Check Point Reference: CPAI-2009-121
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS09-043
Microsoft Security Bulletin MS09-055
Industry Reference(s): CVE-2009-0562
CVE-2009-1136
CVE-2009-1534
CVE-2009-2493
CVE-2009-2496
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Office XP SP3
Microsoft Office 2003 SP3
Microsoft Office XP Web Components
Microsoft Office 2003 Web Components
Microsoft Office 2003 Web Components for the 2007 Microsoft Office system SP1
Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP3
Microsoft Internet Security and Acceleration Server 2006
Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 SP1
Microsoft Office Small Business Accounting 2006
Vulnerability Description
Multiple remote code execution vulnerabilities have been reported in Microsoft Office Web Components ActiveX Controls. Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web. A remote attacker can exploit these vulnerabilities by convincing a user to visit a specially crafted Web page. Successful exploitation could result in execution of arbitrary code on the affected system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS09-043
Microsoft Security Bulletin MS09-055
Vulnerability Details
The vulnerabilities are due to a memory corruption error in the Microsoft Office Web Components ActiveX controls that fails to correctly handle parameter values when they are used in Internet Explorer. A remote attacker could exploit this issue by convincing a user to visit a malicious Web page. Successful exploitation of these vulnerabilities could allow remote code execution on the affected system.

Protection Overview
This protection will detect and block the Office Web Components vulnerable ActiveX controls.
Note that this is an enhancement of a previously released Office Web Components protection. 

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. In the right pane, double-click the Microsoft Office Web Components Multiple Buffer Overflows (MS08-017)  protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft Office Web Components buffer overflow (MS08-017)

VPN-1 NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities > Block Microsoft Office Web Components Vulnerability (MS08-017).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft Office Web Components buffer overflow (MS08-017)

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities > Block Microsoft Office Web Components Vulnerability (MS08-017).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft Office Web Components buffer overflow (MS08-017)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles,and select the ActiveX Parser protection group. 3.Click Microsoft Office Web Components (CVE-2009-1136) - (IPS-1 NGX R65 only.)
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: Badfiles ActiveX class in HTML file Alert/Filter
Description: Microsoft Office Web Components (CVE-2009-1136)