Update Protection against Microsoft Internet Explorer findText Unicode Parsing Denial of Service Vulnerability
| Check Point Reference: | CPAI-2011-005 | |
| Date Published: | ||
| Severity: | ||
| Source: | SecurityFocus Bugtraq ID: 35799 | |
| Industry Reference(s): | CVE-2009-2655 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Microsoft Internet Explorer 8 on Windows XP SP3 Microsoft Internet Explorer 7 on Windows XP SP3 | ||
| Vulnerability Description A denial of service vulnerability has been reported in the way Microsoft Internet Explorer parses HTML pages. A remote attacker could exploit this issue by convincing a user to visit a specially crafted HTML document or open a malicious Web page. Successful exploitation could result in a denial of service condition, thus crashing the vulnerable browser. |
||
|
Vulnerability Details The vulnerability is due to an error in the mshtml.dll library. A remote attacker might exploit this issue by persuading a user to visit a specially crafted Web page that calls the JavaScript findText method with a crafted Unicode string in the first argument and only one additional argument. Successful exploitation of this vulnerability would create a denial of service condition, causing the browser to crash. |
Protection Overview
This protection will detect and block attempts to exploit this vulnerability via malicious HTML pages.
In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense,go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.