US-CERT Technical Cyber Security Alert TA06-270A -- Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability

[US-CERT Technical Alerts <technical-alerts@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                     National Cyber Alert System

               Technical Cyber Security Alert TA06-270A


Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability

   Original release date: September 27, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows
     * Microsoft Internet Explorer


Overview

   The Microsoft Windows WebViewFolderIcon ActiveX control contains an
   integer overflow vulnerability that could allow a remote attacker
   to execute arbitrary code.


I. Description

   The Microsoft Windows WebViewFolderIcon ActiveX control contains an
   integer overflow vulnerability. An attacker could exploit this
   vulnerability through Microsoft Internet Explorer (IE) or any other
   application that hosts the WebViewFolderIcon control. More
   information is available in Vulnerability Note VU#753044.

   Exploit code for this vulnerability is publicly available.


II. Impact

   By convincing a user to open a specially crafted HTML document,
   such as a web page or HTML email message, a remote attacker could
   execute arbitrary code with the privileges of the user who is
   running the program that hosts the WebViewFolderIcon control.


III. Solution

   Microsoft has not released an update for this
   vulnerability. Consider the following workarounds and best
   practices:

   Disable the WebViewFolderIcon ActiveX control

     To protect against this specific vulnerability, disable the
     WebViewFolderIcon control by setting the kill bit for the
     following CLSID:

       {844F4806-E8A8-11d2-9652-00C04FC30871}

     More information about how to set the kill bit is available in
     Microsoft Support Document 240797.


   Disable ActiveX

     To protect against this and other ActiveX and COM
     vulnerabilities, disable ActiveX in the Internet Zone and any
     other zone that might be used by an attacker. Instructions for
     disabling ActiveX in the Internet Zone can be found in the
     "Securing Your Web Browser" document and the Malicious Web
     Scripts FAQ.

   Render email as plain text

     To protect against this and other vulnerabilities that require a
     victim to load a malicious HTML document, configure email clients
     to render email as plain text.

   Do not follow unsolicited links

     To protect against this and other vulnerabilities that require a
     victim to load a malicious HTML document, do not follow
     unsolicited or untrusted links.

     In order to convince users to visit their sites, attackers often
     use URL encoding, IP address variations, long URLs, intentional
     misspellings, and other techniques to create misleading links. Do
     not click on unsolicited links received in email, instant
     messages (IMs), web forums, or internet relay chat (IRC)
     channels. Type URLs directly into the browser to avoid these
     misleading links. While these are generally good security
     practices, following these behaviors will not prevent
     exploitation of this vulnerability in all cases, particularly if
     a trusted site has been compromised or allows cross-site
     scripting.


IV. References

     * Vulnerability Note VU#753044 -
       <http://www.kb.cert.org/vuls/id/753044>

     * Securing Your Web Browser -
       <http://www.us-cert.gov/reading_room/securing_browser/>

     * Malicious Web Scripts FAQ -
       <http://www.cert.org/tech_tips/malicious_code_FAQ.html>

     * CVE-2006-3730 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3730>

     * Microsoft Support Document 240797 -
       <http://support.microsoft.com/kb/240797>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-270A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA06-270A Feedback VU#753044" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   September 27, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRRr/eexOF3G+ig+rAQIhyAf/fQEq6CeRusvnGxVXAq3DlDtStv2bKOAX
aL7ynLjuyiMk6/oqOmzhuY9hu8zLaTXo2O3KhUpt+27KuxSEf+Kc1I9K2d19IP/P
vgNxQaqh2wzdW+iXv18c8sYU4SA+bTXdvpQp1oVmJ1oZiyBYrQjSGFxjZ4PJXD5k
02YUoQNk6tWWDvA4Fe3bDhx3J8NqTcht/+mcJkAzL0TmE7bYDE+cNkqLLbQ7BTa6
M8RkH/DMkOM9mSoFIFAszSbTcMJJmH0yM3948+rrL0Wr/rAC4h9pCKMWA8w4k0bp
enXfYh2B1utRJs/AZSz83wRGO/DdD5x4xQ0OWsMYDAzGudYr6MycfQ==
=2nCt
-----END PGP SIGNATURE-----