Update Protection against Microsoft Internet Explorer FTP Responses Remote Code Execution Vulnerability (MS07-016)
| Check Point Reference: | CPAI-2007-030 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Bulletin MS07-016 | |
| Industry Reference(s): | CVE-2007-0217 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4 Microsoft Internet Explorer 6 SP1 on Windows 2000 SP4 Microsoft Internet Explorer 6 for Windows XP SP2 Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition Microsoft Internet Explorer 6 for Windows Server 2003 Microsoft Internet Explorer 6 for Windows Server 2003 SP1 Microsoft Internet Explorer 6 for Windows Server 2003 (Itanium) Microsoft Internet Explorer 6 for Windows Server 2003 SP1 (Itanium) Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition Microsoft Windows Internet Explorer 7 for Windows XP SP2 Microsoft Windows Internet Explorer 7 for Windows XP Professional x64 Edition Microsoft Windows Internet Explorer 7 for Windows Server 2003 SP1 Microsoft Windows Internet Explorer 7 for Windows Server 2003 SP1 (Itanium) Microsoft Windows Internet Explorer 7 for Windows Server 2003 x64 Edition | ||
| Vulnerability Description A remote code execution vulnerability has been reported in the way Microsoft Internet Explorer (IE) processes certain responses from FTP servers. The File Transfer Protocol (FTP) is used to connect computers over the Internet enabling file transferring between their users. An attacker can exploit the vulnerability to execute arbitrary code on an affected system. |
||
|
Update/Patch Available Apply patches: Microsoft Security Bulletin MS07-016 |
|
|
Vulnerability Details The vulnerability is due to a memory corruption error in Microsoft Internet Explorer when handling specially crafted FTP server responses. A remote attacker can exploit this flaw via a specially crafted FTP response sent in an FTP session to the FTP client included in Internet Explorer. Successful exploitation allows execution of arbitrary code on a target system. |
Protection Overview
By enabling this protection, SmartDefense will detect and block malformed FTP responses.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on March 14, 2007 includes the following protections:
Microsoft RTF Multiple Code Execution Vulnerabilities (MS07-011, MS07-012, MS07-013) CPAI-2007-026
Microsoft Step-by-Step Interactive Training Code Execution Vulnerability (MS07-005) CPAI-2007-027
Microsoft HTML Help ActiveX Control Code Execution Vulnerability (MS07-008) CPAI-2007-028
Sun Solaris Telnet Bypass Vulnerability (CPAI-2007-029)
Microsoft IE FTP Responses Code Execution Vulnerability (MS07-016) CPAI-2007-030
Microsoft Malware Protection Engine PDF Code Execution Vulnerability (MS07-010) CPAI-2007-031
Microsoft MDAC Code Execution Vulnerability (MS07-009) CPAI-2007-032
Microsoft Multiple COM Objects Vulnerability (MS07-016) CPAI-2007-033
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > FTP > FTP Patterns.
2. In the configuration pane, under Settings > Mode, check Active.
3. Select the following protection:
Block Long FTP Response (MS07-016)
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: FTP Patterns Protection Violation
Attack Information: Long FTP response attempt detected (MS07-016)
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > FTP > FTP Patterns.
2. In the configuration pane, select the following protection:
Block Long FTP Response (MS07-016)
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: FTP Patterns Protection Violation
Attack Information: Long FTP response attempt detected (MS07-016)
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > FTP > FTP Patterns.
3. In the configuration pane, select the following pattern:
Block Long FTP Response (MS07-016)
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: FTP Patterns Protection Violation
Attack Information: Long FTP response attempt detected (MS07-016)
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > FTP> FTP Patterns.
2. In the configuration pane, select the following pattern:
Block Long FTP Response (MS07-016)
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: FTP Patterns Protection Violation
Attack Information: Long FTP response attempt detected (MS07-016)
Connectra NGX R62/R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block Long FTP Response (MS07-016)
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:
Attack Name: FTP Patterns Protection Violation
Attack Information: Long FTP response attempt detected (MS07-016)