Date: 28 September 2006
References: AL-2006.0088
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2006.0083 -- AUSCERT ALERT
[Win]
Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability
28 September 2006
===========================================================================
AusCERT Alert Summary
---------------------
Product: WebViewFolderIcon ActiveX control
Internet Explorer
Publisher: US-CERT
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2006-3730
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-270A
Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability
Original release date: September 27, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability that could allow a remote attacker
to execute arbitrary code.
I. Description
The Microsoft Windows WebViewFolderIcon ActiveX control contains an
integer overflow vulnerability. An attacker could exploit this
vulnerability through Microsoft Internet Explorer (IE) or any other
application that hosts the WebViewFolderIcon control. More
information is available in Vulnerability Note VU#753044.
Exploit code for this vulnerability is publicly available.
II. Impact
By convincing a user to open a specially crafted HTML document,
such as a web page or HTML email message, a remote attacker could
execute arbitrary code with the privileges of the user who is
running the program that hosts the WebViewFolderIcon control.
III. Solution
Microsoft has not released an update for this
vulnerability. Consider the following workarounds and best
practices:
Disable the WebViewFolderIcon ActiveX control
To protect against this specific vulnerability, disable the
WebViewFolderIcon control by setting the kill bit for the
following CLSID:
{844F4806-E8A8-11d2-9652-00C04FC30871}
More information about how to set the kill bit is available in
Microsoft Support Document 240797.
Disable ActiveX
To protect against this and other ActiveX and COM
vulnerabilities, disable ActiveX in the Internet Zone and any
other zone that might be used by an attacker. Instructions for
disabling ActiveX in the Internet Zone can be found in the
"Securing Your Web Browser" document and the Malicious Web
Scripts FAQ.
Render email as plain text
To protect against this and other vulnerabilities that require a
victim to load a malicious HTML document, configure email clients
to render email as plain text.
Do not follow unsolicited links
To protect against this and other vulnerabilities that require a
victim to load a malicious HTML document, do not follow
unsolicited or untrusted links.
In order to convince users to visit their sites, attackers often
use URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links. Do
not click on unsolicited links received in email, instant
messages (IMs), web forums, or internet relay chat (IRC)
channels. Type URLs directly into the browser to avoid these
misleading links. While these are generally good security
practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if
a trusted site has been compromised or allows cross-site
scripting.
IV. References
* Vulnerability Note VU#753044 -
<http://www.kb.cert.org/vuls/id/753044>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Malicious Web Scripts FAQ -
<http://www.cert.org/tech_tips/malicious_code_FAQ.html>
* CVE-2006-3730 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3730>
* Microsoft Support Document 240797 -
<http://support.microsoft.com/kb/240797>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-270A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-270A Feedback VU#753044" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
September 27, 2006: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRRr/eexOF3G+ig+rAQIhyAf/fQEq6CeRusvnGxVXAq3DlDtStv2bKOAX
aL7ynLjuyiMk6/oqOmzhuY9hu8zLaTXo2O3KhUpt+27KuxSEf+Kc1I9K2d19IP/P
vgNxQaqh2wzdW+iXv18c8sYU4SA+bTXdvpQp1oVmJ1oZiyBYrQjSGFxjZ4PJXD5k
02YUoQNk6tWWDvA4Fe3bDhx3J8NqTcht/+mcJkAzL0TmE7bYDE+cNkqLLbQ7BTa6
M8RkH/DMkOM9mSoFIFAszSbTcMJJmH0yM3948+rrL0Wr/rAC4h9pCKMWA8w4k0bp
enXfYh2B1utRJs/AZSz83wRGO/DdD5x4xQ0OWsMYDAzGudYr6MycfQ==
=2nCt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRRspUih9+71yA2DNAQI+kQQAgYdDewLIpw+vI3PtoWXuMHiyhHeYutSf
fqTThH2y9xhms9hO95Sc3LRNAPMHBEqxus+vpDwsdYSqpF4g6WuxPRZqQo2/pRs/
v/BmWjXlXlO3VAjWOTACRHBAz9CeuOGqnX1Y6jtskjvYaSWhEXXK3fTYGABPNM5p
RLrdHDYJ+Rc=
=hGme
-----END PGP SIGNATURE-----
|