Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection Against WMF/EMF Image Parsing Vulnerability (MS06-004)

Subscribe

Check Point Reference: CPAI-2006-020
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-004
Industry Reference(s): CVE-2006-0020
CVE-2005-4560
CVE-2005-2124
CVE-2005-2123
Protection Provided by: VPN-1
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
Vulnerability Description
Internet Explorer 5.01 Service Pack 4 fails to properly handle Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats.  WMF and EMF are image formats used in many Windows programs including Internet Explorer and Outlook. By persuading a user to open a specially crafted WMF or EMF image file, an attacker may be able to execute arbitrary code on the affected system.
Vulnerability Status
No exploit has been released so far.
Update/Patch Available
Microsoft has released a patch for this vulnerability. The patch is available at http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx.
Vulnerability Details
A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary code. Specifically, Internet Explorer fails to render Windows Metafile (WMF) and Enhanced Metafile (EMF) images containing a specially crafted header size. To trigger the vulnerability, a remote attacker could convince a user to open a malicious email attachment or visit a maliciously crafted Web page.

Protection Overview
The protection detects WMF and EMF files over the configured HTTP ports and blocks the connection when it detects these files.

March 3, 2006
Note for VPN-1 NGX R60 users:
R60 machines have been updated to address a policy compilation issue on R55 when activating the defense.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
Also included with the update:

  • Protection against Microsoft Windows Web Service Vulnerability (MS06-007) - CPAI-2006-018

VPN-1 NGX R60 & VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. On the SmartDefense tree, click Application Intelligence > Content Protection > Block WMF/EMF Files.



3. Install security policy on all modules.

Note: Depending on the traffic mix, activating this protection may result in performance degradation.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information:
EMF file detected
WMF file detected

InterSpect NGX

How Can I Protect My Network?
1. Update your SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.  
3. In the SmartDefense tree, click Application Intelligence > Content Protection > Block WMF/EMF Files and check the Block WMF/EMF Files check box on the opposite screen.
4. Install security policy on all modules.

Note: Depending on the traffic mix, activating this protection may result in performance degradation.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Contect Protection Violation
Attack Information:
WMF file detected
EMF file detected

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. Update your SmartDefense by clicking Update Now in the SmartDashboard General window.
2. On the SmartDefense tree, click Application Intelligence > Content Protection > Block WMF/EMF Files.

3. Install security policy on all modules.

Note: Depending on the traffic mix, activating this protection may result in performance degradation.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule 99879 indicating that a WMF or EMF file has been detected.

InterSpect 2.0

How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. On the SmartDefense tree, click Application Intelligence > Content Protection > Block WMF/EMF Files and check the  Block WMF/EMF Files check box on the opposite screen.
3. Install security policy on all modules.

Note: Depending on the traffic mix, activating this protection may result in performance degrdation.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information:
EMF file detected
WMF file detected