Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Rich Textbox Control SaveFile File Overwrite Vulnerability

Subscribe

Check Point Reference: CPAI-2008-018
Date Published:
Severity:
Last Updated:
Source: ISS X-Force Databse: 39557
Industry Reference(s): CVE-2008-0237
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
InterSpect
  • NGX
Who is Vulnerable?
Microsoft Visual Studio 6.0
Vulnerability Description
A file overwriting vulnerability exists in Microsoft Rich Textbox control ActiveX control. Microsoft Rich Textbox is an ActiveX control that comes with Visual Basic. It allows programs to create formatted text in Rich Text Format. Microsoft Rich Textbox control (ActiveX control Richtx32.ocx) is used for displaying, entering, and manipulating text with formatting. It can also display fonts, colors, and links, and load text and embedded images from a file. By convincing a user to visit a specially crafted web page, a remote attacker may trigger this vulnerability to execute arbitrary code on an affected system.
Vulnerability Details
This vulnerability is due to lack of verification in the Microsoft Rich Textbox Control ActiveX control when handling arguments sent to a certain method. To trigger this issue, an attacker may create a malicious web page that will exploit this flaw. Successful exploitation may allow creating or modifying arbitrary files on the vulnerable system.

Protection Overview
By enabling this protection, SmartDefense will detect and block the vulnerable ActiveX Control. Depending on the traffic mix, activating this protection may result in performance degradation.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. In the right pane, double-click the Microsoft Rich Textbox Control File Overwrite protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft Rich Textbox control file overwrite

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities > Block Microsoft Rich Textbox Control File Overwrite Vulnerability.
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft rich textbox control file overwrite vulnerability detected

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. Select the following:

Block Microsoft Rich Textbox Control File Overwrite Vulnerability

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft rich textbox control file overwrite vulnerability detected

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. Select the following:

Block Microsoft Rich Textbox Control File Overwrite Vulnerability

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #99966 will appear on the SmartView Tracker.

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. Select the following:

Block Microsoft Rich Textbox Control File Overwrite Vulnerability

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
Rule #99966 will appear on the SmartView Tracker.

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer vulnerabilities.
3. Select the following:

Block Microsoft Rich Textbox Control File Overwrite Vulnerability

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Microsoft rich textbox control file overwrite vulnerability detected