Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Outlook Express Windows Address Book File Vulnerability (MS06-016)

Subscribe

Check Point Reference: CPAI-2006-036
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-016
Industry Reference(s): CVE-2006-0014
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
Who is Vulnerable?
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP SP1, SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Vulnerability Description
Microsoft Outlook Express is a commonly used email application. A vulnerability has been discovered in the file which contains the address book of Outlook Express, potentially allowing a malicious attacker to take control of the affected machine.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-016
Vulnerability Details
The vulnerability can be triggered when a malformed .wab (the extension of the address book file) is used by Outlook Express. The vulnerability creates a remote code execution condition, which can allow a malicious attacker to take control of the vulnerable machine and/or execute any piece of code.

Protection Overview
By enabling the HTTP and SMTP Security Servers, the .wab extension will be blocked.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 (R61, R60, R55W, R55, R54)

How Can I Protect My Network?
Users of all versions of VPN-1 should define SMTP Security Server (SMTP Resource) and HTTP Security Server (URI Resource) to strip the potentially affected .wab file extension from email messages and web traffic.

To define the SMTP Security Server:

  1. Create a new SMTP Resource (Manage > Resources) and give it a name.
  2. In the Action2 tab, enter the following:
    • In the Strip file by name field enter {*.wab}
  3. Place the resouce in the rulebase.
  4. Install security policy on all modules.

To define the HTTP Security Server:

  1. Create a new URI Resource and give it a name.
  2. Select the Match tab and enter {*.wab} in the Path field. (make sure to select the http box)
  3. Place the resource in the rulebase.
  4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log one of the following entries:

Attack Information: reason: Forbidden MIME attachment stripped
Attack Information: reason: Content Security - access denied