Update Protection against Microsoft Windows Kodak Image Viewer Code Execution Vulnerability (MS07-055)

Vulnerability
Protection

Check Point Reference:	CPAI-2007-121
Date Published:
Severity:
Source:	Microsoft Security Bulletin MS07-055
Industry Reference(s):	CVE-2007-2217
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 InterSpect NGX
Who is Vulnerable? Microsoft Windows 2000 Server SP4 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows Server 2003 SP2
Vulnerability Description A buffer overflow vulnerability has been identified in Microsoft Windows Kodak Image Viewer. Kodak Image Viewer is the picture viewer of Microsoft Windows. It deals with various types of popular graphic document formats, including the Tagged Image File Format (TIFF). A remote attacker could exploit this issue via a malformed TIFF file. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system.

Update/Patch Available Apply patches: Microsoft Security Bulletin MS07-055
Vulnerability Details The vulnerability is due to an error in Microsoft Windows Kodak Image Viewer that fails to properly parse malformed Tagged Image File Format (TIFF) files. A remote attacker could trigger this flaw by convincing a victim to open a specially TIFF file. Successful exploitation of this issue may allow execution of arbitrary code on a vulnerable system.

Protection Overview
By enabling this protection, SmartDefense will detect and block the transferring of malformed TIFF files over HTTP.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on October 28, 2007 includes the following protections:

OpenOffice TIFF File Parsing Integer Overflow Vulnerability (CPAI-2007-120)
Microsoft Windows Kodak Image Viewer Vulnerability (MS07-055) - CPAI-2007-121
Microsoft Visual Studio PDWizard.ocx ActiveX Control Vulnerability (CPAI-2007-122)
Microsoft Word Malformed String Memory Corruption Vulnerability (MS07-060) - CPAI-2007-123
Microsoft Windows RPC NTLMSSP Authentication DoS Vulnerability (MS07-058) - CPAI-2007-124
New Feature for the Block FTP Brute Force Attacks Protection (SBP-2007-09)
Blocking QQ Instant Messenger (SBP-2007-10)

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Content Protection > Malformed TIFF.
2. In the configuration pane, under Settings > Mode, check Active.
3. Select the following:

Block Kodak Image Viewer Vulnerability (MS07-055)

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: TIFF Content Protection Violation
Attack Information: Kodak viewer TIFF vulnerability detected (MS07-055)

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection.
2. Select the following:

Malformed TIFF

3. In the configuration pane, select the following:

Block Kodak Image Viewer Vulnerability (MS07-055)

4.Install policy on all modules.

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Content Protection.
3. Select the following:

Malformed TIFF

4. In the configuration pane, select the following:

Block Kodak Image Viewer Vulnerability (MS07-055)

5.Install policy on all modules.

Legal Notice for Threat Center Advisories