Protection against MS IE COM Object Memory Corruption Vulnerabilities (MS05-037; MS05-038)

Attack ID:	CPAI-2005-117

Publish Date:

Last Update:

Category:	Remote Code Execution

Vulnerable Systems:	Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6 Microsoft Internet Explorer 6 SP1 Microsoft Internet Explorer 6 SP2

Source:	Microsoft Security Bulletin MS05-037 Microsoft Security Bulletin MS05-038

Description:	Two vulnerabilities were detected in Internet Explorer: A vulnerability exists in the way Microsoft Internet Explorer handles a certain Component Object Model (COM) object (MS05-037). A vulnerability exists in the way Internet Explorer handles certain Component Objects Models (COM) objects that are not intended to be used in Internet Explorer. (MS05-038). An attacker could exploit these vulnerabilities by creating a malicious Web page and persuading the user to visit the page. successful exploitation could result in remote code execution which would allow an attacker to take complete control of the affected system.

Severity:

Details:	Microsoft Internet Explorer allows HTML documents to utilize ActiveX controls in order to allow for creation of dynamic HTML content. ActiveX controls are based on Component Object Model (COM) technologies. Two vulnerabilities were identified: A vulnerability exists due to an error in the "javaprxy.dll" COM Object when referenced by Internet Explorer via a specially crafted HTML tag. javaprxy.dll exists on the system when Microsoft Java Virtual Machine is installed (MS05-037). Internet Explorer allows instantiation of non-ActiveX COM objects, allowing an attacker to execute arbitrary code or crash Internet Explorer (MS05-038).

Attack Detection:	Users of VPN-1 NG with Application Intelligence R55W, users of VPN-1 NGX R60 and users of InterSpect who have applied the solution outlined below will receive the following log entries: Attack Name: Web Client Enforcement Violation Attack Information: Microsoft Internet Explorer - Detected COM Object (Javaprxy.dll) Vulnerability Microsoft Internet Explorer - Detected COM Object (MS05-038) Vulnerability Users of VPN-1 NG with Application Intelligence R55 will receive rule 99808 and rule 99805 on the SmartView Tracker screen.

Solution:	Users of VPN-1 NG with Application Intelligence R55, R55W, users of VPN-1 NGX R60 and users of InterSpect should update their SmartDefense by clicking Online Update (R55 - Update Now) in the SmartDashboard General window. By enabling the protection, SmartDefense will block the use of Java Proxy ActiveX (Javaprxy.dll) and the MS05-038 vulnerability. To enable the protection: 1. On the Web Intelligence navigation tree, click HTTP Client Protections and enable Microsoft Internet Explorer. 2. In the Microsoft Internet Explorer screen, enable Block COM Object (Javaprxy.dll) Vulnerability and Block COM Object (MS05-038) Vulnerability. 3. install security policy on all modules. Note: This protection is performance-intensive. Activating it may consume considerable system resources.

Industry Reference:	CAN-2005-2087 CAN-2005-1990

Additional Information:	Zone Labs Security Advisory This Update also includes the following Protections: - Enhancement to the MS SQL Server Protection (CPAI-2005-54) - Enhanced MS PNG Protection (CPAI-2005-99) - MS Print Spooler Service Protection (CPAI-2005-118) - MS Telephony Service (TAPI) Protection (CPAI-2005-119) - MS Plug and Play Protection (MS05-2005-120)