Content
(MS06-057) Microsoft Windows Shell Remote Code Execution Vulnerability (923191)
- Type
- Buffer Overflow
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Website or e-mail with malicious content
- Rating
- High
- CVE reference
- CVE-2006-3730,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Windows 2003 SP0 - SP1,
- Windows 2003 Generic,
- Windows 2000 SP4,
- Windows 2000 Generic,
- Windows XP Generic,
- Windows XP SP0 - SP2,
- Summary
- Microsoft Windows contains a flaw that may allow for a denial-of-service attack or arbitrary code execution. This may be exploited by visiting a malicious Website or through an HTML email.
Tab Navigation
Description
Microsoft Windows is an industry-standard operating system. ActiveX objects allow for dynamic content to be displayed in Internet Explorer and other applications. A flaw is present in Microsoft Windows that may be exploited to cause a denial-of-service attack or execute code. The vulnerability centers on the ActiveX object WebViewFolderIcon. Successful exploitation occurs when the object calls the setSlice() function with the initial argument set to 0x7fffffff. The resulting invalid memory copy could allow for arbitrary code execution.
McAfee Product Mitigation & Recommendations
Recommendations
Download and install the patch available from Microsoft(923191): http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-061) Microsoft Windows Shell Remote Code Execution Vulnerability
- Signature identifier:
- 4654
- Release date:
- 9/28/2006
McAfee Intrushield
The following Intrushield User Defined Signature (UDS) protects against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- UDS-Microsoft Internet Explorer WebViewFolderIcon Vulnerability
- Release date:
- 9/28/2006
McAfee Intrushield
McAfee Intrushield is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft_IE_WebViewFolderIcon_Integer_Overflow
- Signature identifier:
- 0x4022E400
- Release date:
- 10/10/2006
- First released in:
- sigset 3.1.23
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Internet Explorer Buffer Overflow Vulnerability
- Signature identifier:
- 1146
- Release date:
- 6/24/2003
- First released in:
- 4.0
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Windows Shell Vulnerability in WebViewFolderIcon
- Signature identifier:
- 3775
- Release date:
- 10/11/2006
- First released in:
- Security content update 661
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability
- Signature:
- JS/Exploit-BO.gen
- Release date:
- 12/29/2004
- First released in:
- DAT 4417
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability
- Signature:
- Exploit-CVE2006-3730
- Release date:
- 9/28/2006
- First released in:
- DAT 4862
Additional Resources
Microsoft Security Advisory: Vulnerability in Windows Shell Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/926043.mspx
Microsoft Security Bulletin: Vulnerability in Windows Explorer Could Allow Remote Execution (923191)
http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
Vulnerability Summary CVE-2006-3730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3730
Internet Explorer WebViewFolderIcon setSlice Integer Overflow (CVE-2006-3730)
All Information
Timeline -
10/10/2006
Vendor has provided a patch.
9/29/2006
Vulnerability information has been publicly disclosed.
9/29/2006
Exploit code has been released.
9/29/2006
Exploit code has been released.
9/28/2006
Vendor has provided information on the vulnerability.
9/28/2006
Vulnerability information has been publicly disclosed.
9/28/2006
Exploit code has been released.
9/27/2006
Exploit code has been released.
7/18/2006
A denial of service proof of concept has been released.
Description -
Microsoft Windows is an industry-standard operating system. ActiveX objects allow for dynamic content to be displayed in Internet Explorer and other applications. A flaw is present in Microsoft Windows that may be exploited to cause a denial-of-service attack or execute code. The vulnerability centers on the ActiveX object WebViewFolderIcon. Successful exploitation occurs when the object calls the setSlice() function with the initial argument set to 0x7fffffff. The resulting invalid memory copy could allow for arbitrary code execution.
McAfee Product Mitigation & Recommendations
Recommendations -
Download and install the patch available from Microsoft(923191): http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-061) Microsoft Windows Shell Remote Code Execution Vulnerability
- Signature identifier:
- 4654
- Release date:
- 9/28/2006
McAfee Intrushield
The following Intrushield User Defined Signature (UDS) protects against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- UDS-Microsoft Internet Explorer WebViewFolderIcon Vulnerability
- Release date:
- 9/28/2006
McAfee Intrushield
McAfee Intrushield is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Microsoft_IE_WebViewFolderIcon_Integer_Overflow
- Signature identifier:
- 0x4022E400
- Release date:
- 10/10/2006
- First released in:
- sigset 3.1.23
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Internet Explorer Buffer Overflow Vulnerability
- Signature identifier:
- 1146
- Release date:
- 6/24/2003
- First released in:
- 4.0
McAfee Host IPS
McAfee Host IPS is proactively protecting customers against all known exploits of this buffer overflow vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- Windows Shell Vulnerability in WebViewFolderIcon
- Signature identifier:
- 3775
- Release date:
- 10/11/2006
- First released in:
- Security content update 661
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability
- Signature:
- JS/Exploit-BO.gen
- Release date:
- 12/29/2004
- First released in:
- DAT 4417
McAfee Anti-Virus protection
The following A-V signature detects malware that is known to exploit this vulnerability
- Signature:
- Exploit-CVE2006-3730
- Release date:
- 9/28/2006
- First released in:
- DAT 4862
Additional Resources
Additional Resources -
Microsoft Security Advisory: Vulnerability in Windows Shell Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/926043.mspx
Microsoft Security Bulletin: Vulnerability in Windows Explorer Could Allow Remote Execution (923191)
http://www.microsoft.com/technet/security/Bulletin/MS06-057.mspx
Vulnerability Summary CVE-2006-3730
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3730
