Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft Windows OLEAUT32.DLL WMF File Remote Code Execution (MS11-038; CVE-2011-0658)

Subscribe

Check Point Reference: CPAI-2011-285
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS11-038
Industry Reference(s): CVE-2011-0658
Protection Provided by: Security Gateway
  • R75
  • R71
  • R70
VPN-1
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Vulnerability Description
Remote Code execution vulnerability has been reported in the Microsoft Windows OLE Automation component when parsing malicious WMF files. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
Vulnerability Details
The vulnerability is caused by the way that OLE Automation parses a specially crafted WMF file. An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Protection Overview
This protection detects and blocks suspicious WMF files over HTTP

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70 / R71 / R75

How Can I Protect My Network?

  1. In the IPS tab, click Protections and find the Microsoft Windows OLEAUT32.DLL WMF File Remote Code Execution (MS11-038) protection using the Search option.
  1. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Microsoft Windows OLEAUT32.DLL WMF File Remote Code Execution (MS11-038)

IPS-1 & IPS1-NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the EMF Parser protection group.
3. Click Microsoft Windows WMF Image Parsing Memory Corruption (MS06-004) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Badfiles Windows Metafile Alert/Filter
Description: Microsoft Windows WMF Image Parsing Memory Corruption (MS06-004)