Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Block Windows Address Book Contact Record Vulnerability (MS06-076)

Subscribe

Check Point Reference: CPAI-2006-147
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-076
Industry Reference(s): CVE-2006-2386
Protection Provided by: VPN-1
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
Who is Vulnerable?
Microsoft Outlook Express 5.5 SP2 on Windows 2000 SP4
Microsoft Outlook Express 6 SP1 on Windows 2000 SP4
Microsoft Outlook Express 6 on Windows XP SP2
Microsoft Outlook Express 6 on Windows XP Professional x64 Edition
Microsoft Outlook Express 6 on Windows Server 2003
Microsoft Outlook Express 6 on Windows Server 2003 SP1
Microsoft Outlook Express 6 on Windows Server 2003 x64 Edition
Microsoft Outlook Express 6 on Windows Server 2003 (Itanium)
Microsoft Outlook Express 6 on Windows Server 2003 SP1 (Itanium)
Vulnerability Description
A remote code execution vulnerability has been discovered in Microsoft Outlook Express. The vulnerability is due to a buffer overflow error in the Windows Address Book (WAB) functions within Outlook Express. Windows Address Book is an application used for storing contact information. A remote attacker can exploit the vulnerability to execute arbitrary code on a target system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-076
Vulnerability Details
An attacker can exploit this vulnerability via a specially crafted '.wab' file. A remote attacker can trigger the flaw by convincing a user to view a specially crafted HTML document containing a malicious '.wab' file. Successful exploitation could allow execution of arbitrary code once the page is loaded.

Protection Overview
The protection blocks HTTP and SMTP connections containing potentially malicious '.wab' files.

Note: This is an interim protection offered till all systems are patched.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 (all versions from R54)

How Can I Protect My Network?
Until all systems are patched, users are advised to block the malicious file extensions using the HTTP and SMTP security servers.

To configure the HTTP Security Server:

1. Create a new URI Resource and give it a name (Manage > Resources).
2. Select the Match tab; Under Schemes, enable http; in the path field, enter

{*.wab}

3. Place the new URI resource in the rulebase.
4. Install security policy on all modules.

To configure the SMTP Security Server:

1. Create a new SMTP Resource (Manage > Resources) and give it a name.

2. In the Action2 tab, enter the following:

In the Strip MIME of type field enter

{application/x-crossover-wab}

In the Strip file by name field enter

{*.wab}

3. Place the new SMTP resource in the rulebase.
4. Install security policy on all modules.

Note: Filtering all HTTP and SMTP traffic through the security servers may result in legitimate HTTP traffic being blocked.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Information: reason: Forbidden MIME attachment stripped
Information: reason: Content Security - access denied