Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Internet Explorer UTF-8 Decoding Vulnerability (MS06-021)

Subscribe

Check Point Reference: CPAI-2006-105
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-021
Industry Reference(s): CVE-2006-2382
US-CERT VU#136849
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4
Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP1
Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 SP1
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 6 SP1 on Microsoft Windows 98
Microsoft Internet Explorer 6 SP1 on Microsoft Windows 98 SE
Microsoft Internet Explorer 6 SP1 on Microsoft Windows Millennium Edition
Vulnerability Description
Microsoft Internet Explorer (IE) fails to properly decode UTF-8 encoded web pages. UTF-8 (Unicode Translation Format 8) is a type of character encoding for Unicode character sets. This vulnerability allows remote attackers to execute arbitrary code via a specially crafted UTF-8 encoded HTML document.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-021
Vulnerability Details
This vulnerability is due to a miscalculation of memory sizes when translating UTF-8 characters to Unicode. By convincing a user to view a maliciously crafted web page or email message, a remote attacker could execute arbitrary code or cause the Internet Explorer on vulnerable systems to crash.

Protection Overview

The update protects against this vulnerability by blocking UTF-8 malformed HTML files. Depending on the traffic mix, activating this protection may result in performance degradation.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice. 

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on September 12, 2006 includes the following protections: 

Malformed IMAP Commands Protection (CPAI-2006-098)
Protection against Microsoft Windows DHCP Remote Code Execution (MS06-036) - CPAI-2006-101
MiniBB Remote File Vulnerabilities (CPAI-2006-102)
GraceNote (CDDB) Control ActiveX Vulnerability (CPAI-2006-103)
Microsoft Internet Explorer 6 (Internet.HHCtrl) Vulnerability (CPAI-2006-104)
Microsoft Internet Explorer UTF-8 Decoding Vulnerability (MS06-021) - CPAI-2006-105
Apache LDAP HTTP Server Buffer Overflow Vulnerability (CPAI-2006-106)
Pre-Patch Workaround for Microsoft Windows Vulnerabilities (SBP-2006-06)

VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration pane, click

Block html Decoding Memory Corruption Vulnerability (MS06-021)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: HTML Decoding Memory Corruption Vulnerability (MS06-021)

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections and then click Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration page, select

Block html Decoding Memory Corruption Vulnerability (MS06-021)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #99831 will appear on the SmartView Tracker.

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections and then click Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer configuration page, select

Block html Decoding Memory Corruption Vulnerability (MS06-021)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #99831 will appear on the SmartView Tracker.

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer.
3. In the Microsoft Internet Explorer configuration pane, select

Block html Decoding Memory Corruption Vulnerability (MS06-021)

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: HTML Decoding Memory Corruption Vulnerability (MS06-021)

InterSpect 2.0

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections and then click Microsoft Internet Explorer.
2. In the Microsoft Internet Explorer Configuration Pane,  select

Block html Decoding Memory Corruption Vulnerability (MS06-021)

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: HTML Decoding Memory Corruption Vulnerability (MS06-021)