Pre-Patch Workaround for Microsoft Windows Vulnerabilities
| Check Point Reference: | SBP-2006-06 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS06-037 Microsoft Security Bulletin MS06-038 Microsoft Security Bulletin MS06-012 |
|
| Industry Reference(s): | CVE-2006-3431 CVE-2006-1540 CVE-2006-1308 CVE-2006-2492 CVE-2005-4131 CVE-2006-0028 CVE-2006-0029 CVE-2006-0030 CVE-2006-0031 CVE-2006-0009 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Windows operating systems | ||
| Vulnerability Description Several remote code execution vulnerabilities exist in Microsoft Office, including vulnerabilities in Excel, Power Point and Word. A remote attacker may create a malicious Excel, PowerPoint or Word file and host it on a Web site or send it as an email attachment. This may allow an attacker to overflow a buffer and possibly execute arbitrary code on the affected system. Since the protections offered in this advisory may degrade performance and block access to legitimate Office files, Check Point users are advised to use these protections as a workaround till all systems are patched. |
||
|
Vulnerability Details Several vulnerabilities were reported in various components of Microsoft Office: CVE-2006-3431: A memory corruption error exists when handling or repairing a document containing overly long styles. CVE-2006-1540: Two flaws exist in several Microsoft Windows operating systsems: The first flaw is due to memory corruption errors when parsing malformed strings, The second vulnerability is due to a memory corruption error when processing malformed properties. CVE-2006-1308: Multiple vulnerabilities have been identified in Microsoft Excel, due to memory corruption errors when processing malformed SELECTION, COINFO, OBJECT, LABEL and FNGROUPCOUNT records. CVE-2006-2492: A memory corruption error exists when processing Word documents containing a malformed object pointer. CVE-2005-4131: Multiple vulnerabilities have been identified in Excel, due to memory corruption errors when 1. handling a malformed range, 2. a specially crafted description 3. specially crafted graphics 4. malformed records. These could all be exploited by remote attackers to execute arbitrary commands. CVE-2006-0028: An Excel document with a specially crafted parsing format file can cause arbitrary code to be executed on the target system. CVE-2006-0029: An Excel document with a specially crafted description can cause arbitrary code to be executed on the target system. CVE-2006-0030: An Excel document with a specially crafted graphic can cause arbitrary code to be executed on the target system. CVE-2006-0031: An Excel document with a specially crafted record can cause arbitrary code to be executed on the target system. CVE-2006-0009: An Excel document with a specially crafted parsing format file can cause arbitrary code to be executed on the target system. |
Protection Overview
By enabling this protection, SmartDefense will block the transferring of Microsoft Office files including Word, Power Point and Excel over HTTP. In order for the protection to work, at least one of the Block Office protection's options in the configuration pane (i.e. Block Word Documents; Block Excel Documents; Block Power Point Documents) needs to be activated.
Note: Depending on the traffic mix, activating these protections may result in performance degradation.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R61, VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection > Block Office Files; the Block Office Files configuration pane opens.
2. Select the option of your choice: 
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Content Protection Violation
Attack Information (one of the following):
Word Office document detected
Excel Office document detected
PowerPoint Office document detect
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection > Block Office Files; the Block Office Files configuration pane opens.
2. Select the option of your choice:
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #980119.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection > Block Office Files; the Block Office Files configuration pane opens.
2. Select the option of your choice:
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule #980119.
InterSpect NGX
How Can I Protect My Network?
1. In the lefthand menu, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Block Office Files; the Block Office Files configuration pane opens.
2. Select the option of your choice:
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Content Protection Violation
Attack Information (one of the following):
Word Office document detected
Excel Office document detected
PowerPoint Office document detect
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection > Block Office Files; the Block Office Files configuration pane opens.
2. Select the option of your choice:
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Content Protection Violation
Attack Information (one of the following):
Word Office document detected
Excel Office document detected
PowerPoint Office document detect