=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN506
_____________________________________________________________________

DATE                      : 28/09/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Internet Explorer.

======================================================================

                      National Cyber Alert System

                Technical Cyber Security Alert TA06-270A


Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability

    Original release date: September 27, 2006
    Last revised: --
    Source: US-CERT


Systems Affected

      * Microsoft Windows
      * Microsoft Internet Explorer


Overview

    The Microsoft Windows WebViewFolderIcon ActiveX control contains an
    integer overflow vulnerability that could allow a remote attacker
    to execute arbitrary code.


I. Description

    The Microsoft Windows WebViewFolderIcon ActiveX control contains an
    integer overflow vulnerability. An attacker could exploit this
    vulnerability through Microsoft Internet Explorer (IE) or any other
    application that hosts the WebViewFolderIcon control. More
    information is available in Vulnerability Note VU#753044.

    Exploit code for this vulnerability is publicly available.


II. Impact

    By convincing a user to open a specially crafted HTML document,
    such as a web page or HTML email message, a remote attacker could
    execute arbitrary code with the privileges of the user who is
    running the program that hosts the WebViewFolderIcon control.


III. Solution

    Microsoft has not released an update for this
    vulnerability. Consider the following workarounds and best
    practices:

    Disable the WebViewFolderIcon ActiveX control

      To protect against this specific vulnerability, disable the
      WebViewFolderIcon control by setting the kill bit for the
      following CLSID:

        {844F4806-E8A8-11d2-9652-00C04FC30871}

      More information about how to set the kill bit is available in
      Microsoft Support Document 240797.


    Disable ActiveX

      To protect against this and other ActiveX and COM
      vulnerabilities, disable ActiveX in the Internet Zone and any
      other zone that might be used by an attacker. Instructions for
      disabling ActiveX in the Internet Zone can be found in the
      "Securing Your Web Browser" document and the Malicious Web
      Scripts FAQ.

    Render email as plain text

      To protect against this and other vulnerabilities that require a
      victim to load a malicious HTML document, configure email clients
      to render email as plain text.

    Do not follow unsolicited links

      To protect against this and other vulnerabilities that require a
      victim to load a malicious HTML document, do not follow
      unsolicited or untrusted links.

      In order to convince users to visit their sites, attackers often
      use URL encoding, IP address variations, long URLs, intentional
      misspellings, and other techniques to create misleading links. Do
      not click on unsolicited links received in email, instant
      messages (IMs), web forums, or internet relay chat (IRC)
      channels. Type URLs directly into the browser to avoid these
      misleading links. While these are generally good security
      practices, following these behaviors will not prevent
      exploitation of this vulnerability in all cases, particularly if
      a trusted site has been compromised or allows cross-site
      scripting.


IV. References

      * Vulnerability Note VU#753044 -
        <http://www.kb.cert.org/vuls/id/753044>

      * Securing Your Web Browser -
        <http://www.us-cert.gov/reading_room/securing_browser/>

      * Malicious Web Scripts FAQ -
        <http://www.cert.org/tech_tips/malicious_code_FAQ.html>

      * CVE-2006-3730 -
        <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3730>

      * Microsoft Support Document 240797 -
        <http://support.microsoft.com/kb/240797>


  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA06-270A.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert@cert.org> with "TA06-270A Feedback VU#753044" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2006 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________


Revision History

    September 27, 2006: Initial release

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================