Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Windows Shell Handler URL Validation Code Execution Vulnerability (MS10-007)

Subscribe

Check Point Reference: CPAI-2010-031
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS10-007
Industry Reference(s): CVE-2010-0027
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Server 2003 with SP2 (Itanium)
Vulnerability Description
A remote code execution vulnerability has been reported in the Microsoft Windows ShellExecute API function. The Windows user interface provides users with access to a wide variety of objects necessary for running applications and managing the operating system. ShellExecute is part of the Windows Shell application programming interface (API) functions. It performs an operation on a specified file. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page. Successful exploitation could result in execution of arbitrary code on the affected system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-007
Vulnerability Details
The vulnerability is due to the incorrect validation of input sent to the ShellExecute API function. When an application, such as a web browser, uses the ShellExecute API function to processes specially crafted data, ShellExecute may incorrectly validate that data stream and execute a binary from the local client system. A remote attacker could exploit this issue by convincing a user to visit a malicious Web page. Successful exploitation of this issue may allow the attacker to take complete control of the affected system.

Protection Overview
This protection will detect and block malformed links in HTML files.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. In the right pane, double-click the Microsoft Windows Shell Handler URL Validation Code Execution (MS10-007) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft Windows shell handler URL validation code execution (MS10-007)

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities > Microsoft Windows Shell Handler URL Validation Code Execution (MS10-007).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft Windows shell handler URL validation code execution (MS10-007)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > HTML, and select the Internet Explorer protection group.
3. Click Microsoft Windows Shell Handler URL Validation Code Execution (MS10-007) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: Internet Explorer Vulnerabilities
Description: Microsoft Windows Shell Handler URL Validation Code Execution (MS10-007)