Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Visual Basic Document Properties Buffer Overrun (MS06-047)

Subscribe

Check Point Reference: CPAI-2006-234
Date Published:
Severity:
Last Updated:
Source: Microsoft Scurity Bulletin MS06-047
Industry Reference(s): CVE-2006-3649
Protection Provided by: Security Gateway
  • R75
Who is Vulnerable?
Microsoft Access 2000 Runtime Service Pack 3
Microsoft Office 2000 Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Project 2000 Service Release 1
Microsoft Project 2002 Service Pack 1
Microsoft Visio 2002 Service Pack 2
Microsoft Visual Basic for Applications SDK 6.0
Microsoft Visual Basic for Applications SDK 6.2
Microsoft Visual Basic for Applications SDK 6.3
Microsoft Visual Basic for Applications SDK 6.4
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Vulnerability Description
Microsoft Visual Basic for Applications (VBA) is an implementation of Microsoft's Visual Basic which is built into all Microsoft Office applications, as well as some other Microsoft applications, such as Microsoft Visio and Microsoft Works Suite. Visual Basic (VB) is an event driven programming and scripting language. VBA technology allows programmable macros to be defined inside Microsoft Office documents.
Vulnerability Details
There exists a buffer overflow vulnerability in Microsoft Visual Basic for Applications (VBA). The flaw is caused by an improper boundary check in the processing of VBA data. By enticing a target user to open documents containing crafted VBA data, a remote attacker may execute arbitrary code on the target host with the privileges of the currently logged on user.
In an attack case where code injection is not successful, the Microsoft Office application will terminate. This can potentially lead to a loss of data.
In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.

Protection Overview
This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Content Protection.
2. In the right pane, double-click the Microsoft Visual Basic Document Properties Buffer Overrun (MS06-047) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Microsoft Visual Basic document properties buffer overrun (MS06-047)