Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against MS-Word Zero-Day Attack (919637)

Subscribe

Check Point Reference: CPAi-2006-051
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Advisory (919637)
Industry Reference(s): CVE-2006-2492
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP
Microsoft Word
Vulnerability Description
A zero-day attack has been reported using a code execution vulnerability in Microsoft Word. In order for this attack to be triggered, a user must open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Opening the Word file causes the system to be exploited.
Update/Patch Available
Microsoft is scheduled to release a patch as part of the June security updates on June 13, 2006, or sooner.
Vulnerability Details
The flaw exists in a malformed pointer.When a user opens a specially crafted Word file using a malformed object pointer, it may corrupt system memory in such a way that an attacker could execute arbitrary code.

Protection Overview
By activating the protection, you will be able to detect whether your system has been infected. 

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R61

How Can I Protect My Network?
1. Update SmartDefense: Click the SmartDefense Services tab, In the left pane from the drop-down list, click Download Updates and then click the Online Update button.
2. On the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection and enable the following pattern:

MS Word Trojan Connection Attempt

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information: MS Word Trojan Connection Attempt

VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. Update their SmartDefense by clicking Online Update in the SmartDashboard General window.
2. On the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection and enable the following pattern:

MS Word Trojan Connection Attempt

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information: MS Word Trojan Connection Attempt

VPN-1 NG with Application Intelligence R55, R54

How Can I Protect My Network?
1. Update SmartDefense by clicking Update Now in the SmartDashboard General window.
2. On the SmartDefense tree, click Application Intelligence > Web > Peer to Peer.
3. In the Header Detection table, enable the following format:

MS Word Trojan Connection Attempt

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information: MS Word Trojan Connection Attempt

VPN-1 VSX NGX

How Can I Protect My Network?
1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection and enable the following pattern:

MS Word Trojan Connection Attempt

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information: MS Word Trojan Connection Attempt

InterSpect NGX

How Can I Protect My Network?

1. Update SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
3. In the Web Intelligence tree, click HTTP Protocol Inspection > Header Rejection and enable the following patterns:

MS Word Trojan Connection Attempt

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information: MS Word Trojan Connection Attempt

InterSpect 2.0

How Can I Protect My Network?

1. Update SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Web > Peer to Peer.
3. In the Headers Detection table, enable the following patterns:

MS Word Trojan Connection Attempt

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information: MS Word Trojan Connection Attempt