Update Protection against Microsoft Internet Explorer Response Redirect Information Disclosure Vulnerability (MS10-034)
| Check Point Reference: | CPAI-2010-033 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Microsoft Security Advisory (980088) Microsoft Security Bulletin MS10-034 |
|
| Industry Reference(s): | CVE-2010-0255 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Internet Explorer 5.01, 6, 7 and 8 on: Windows 2000 SP4 Windows XP SP2 Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 Windows Server 2003 x64 Edition SP2 Windows Server 2003 with SP2 (Itanium) Windows Vista Windows Vista SP1 Windows Vista SP2 Windows Vista x64 Edition Windows Vista x64 Edition SP1 Windows Vista x64 Edition SP2 Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems SP2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems SP2 Windows Server 2008 (Itanium) Windows Server 2008 (Itanium) SP2 Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 (Itanium) | ||
| Vulnerability Description An information disclosure vulnerability has been reported in Microsoft Internet Explorer. A remote attacker could exploit this issue by convincing a user to open a maliciously crafted HTML file with Internet Explorer, which may allow the attacker to view data from a Web page in another Internet Explorer domain. |
||
|
Update/Patch Available Update patches: Microsoft Security Bulletin MS10-034 |
|
|
Vulnerability Details The vulnerability is due to an error in Microsoft Internet Explorer that fails to prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via a URL that includes \\127.0.0.1\. To trigger this issue, an attacker may create a malicious web page and persuade a user to view it. Successful exploitation of this vulnerability will allow an attacker to view the content in another browser window in another domain or Internet Explorer zone. |
Protection Overview
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.