Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Multiple Microsoft ATL COM Initialization Remote Code Execution Vulnerabilities (MS09-055)

Subscribe

Check Point Reference: CPAI-2009-198
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS09-055
Industry Reference(s): CVE-2009-2493
Protection Provided by: Security Gateway
  • R70
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Server 2003 with SP2 (Itanium)
Windows Vista
Windows Vista SP1
Windows Vista SP2
Windows Vista x64 Edition
Windows Vista x64 Edition SP1
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems SP2
Windows Server 2008 (Itanium)
Windows Server 2008 (Itanium) SP2
Windows 7
Windows 7 x64 Edition
Windows Server 2008 R2 for 32-bit Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 (Itanium)
Vulnerability Description
Multiple remote code execution vulnerabilities exist in several Microsoft ActiveX controls. ActiveX controls are reusable software components based on Microsoft Component Object Model (COM). The vulnerabilities are located in the Office Excel add-in for SQL Analysis Services, Microsoft Windows Live Mail, Microsoft Outlook View, MSN Photo Upload Tool and Microsoft Visio Viewer. A remote attacker may exploit these vulnerabilities to execute arbitrary code on an affected system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS09-055
Vulnerability Details
The vulnerabilities are due to to an error in multiple Microsoft ActiveX controls. To trigger these issues, an attacker can create a malicious web page that initiates the vulnerable COM Objects. Successful exploitation of these vulnerabilities allows execution of arbitrary code on the vulnerable system.

Protection Overview
These protections will detect and block the vulnerable ActiveX controls.

In order for the protections to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. In the right pane, double-click on the following protections:

SQL Analysis Services Office Excel Add-in Remote Code Execution (MS09-055)
Microsoft Windows Live Mail ActiveX Remote Code Execution (MS09-055)
Microsoft Outlook View ActiveX Controls Remote Code Execution (MS09-055)
MSN Photo Upload Tool ActiveX Control Remote Code Execution (MS09-055)
Microsoft Visio Viewer ActiveX Control Remote Code Execution (MS09-055)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information:
SQL Analysis Services Office Excel add-in remote code execution (MS09-055)
Microsoft Windows Live Mail ActiveX remote code execution (MS09-055)
Microsoft Outlook View ActiveX controls remote code execution (MS09-055)
MSN Photo Upload Tool ActiveX control remote code execution (MS09-055)
Microsoft Visio Viewer ActiveX control remote code execution (MS09-055)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the ActiveX Parser protection group.
3. Click Micrsoft ActiveX ATL COM Initialization (MS09-055) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: Badfiles ActiveX class in HTML file Alert/Filter
Description: Micrsoft ActiveX ATL COM Initialization (MS09-055)