Preemptive Protection against Microsoft XML Remote Code Execution Vulnerability (MS06-071)

Vulnerability
Protection

Check Point Reference:	CPAI-2006-134
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS06-071
Industry Reference(s):	CVE-2006-5745
Protection Provided by:	VPN-1 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55W NG with Application Intelligence R55 VSX NGX InterSpect NGX 2.0 and 1.x
Who is Vulnerable? Microsoft XML Core Services 4.0 for Windows 2000 SP4 Microsoft XML Core Services 4.0 for Microsoft Windows XP SP2 Microsoft XML Core Services 4.0 for Microsoft Windows Server 2003 Microsoft XML Core Services 4.0 for Microsoft Windows Server 2003 SP1
Vulnerability Description XMLHTTP, an ActiveX control that is included in Microsoft XML Core Services (MSXML), is vulnerable to remote code execution. MSXML is an application for processing Extensible Stylesheet Language Transformation in an XML file that allows programmers to create high-performance XML-based applications. XMLHTTP allows web pages to transmit or receive XML data. By convincing a user to visit a specially crafted Web page, a remote attacker may trigger this vulnerability to deny service from legitimate users (by causing the victim's Web browser to crash) or execute arbitrary code on an affected system.

Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-071

Vulnerability Details
The vulnerability is due to a memory corruption flaw in the XMLHTTP ActiveX Control when processing a specially crafted argument passed to a 'setRequestHeader' method. An attacker can trigger this flaw by convincing a user to view a specially crafted HTML document. Successful exploitation could result in the crashing of the victim's Web browser, once the malicious page is loaded allowing execution of arbitrary code.

Protection Overview
Users are protected against this vulnerability if the Heap Spray protection for blocking shell code exploits addressed in the Protection section of SBP-2006-12 has been applied.

The Heap Spray protection addresses Internet Explorer vulnerabilities by blocking a large number of known shell code exploits. Depending on the traffic mix, activating this protection may result in performance degradation.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R62, R61, VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W