TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

551

552

553

554

555

556

557

558

559

560

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

555

formats provided by Windows Explorer for viewing file and folder information. This feature allows users to preview

documents in a thumbnail view before opening. In addition, information such as title and author is displayed. The

preview pane is implemented via an HTML resource file (in webvw.dll), which examines the currently selected file,

reads its metadata and displays useful information about it such as the file's size, attributes, modification date, author

and more. A remot code execution vulnerability exists in the way that Web View within Windows Explorer handles

certain HTML characters in author name field of a document. When the preview pane outputs the document's author

name, it checks whether the name resembles an email address, and if so, transforms it into a 'mailto:' link in the pane.

The transformation into a link does not filter potentially dangerous characters and makes it possible to inject attributes

into the link, which enables execution of arbitrary script commands. An attacker could persuade a user to save a file

from an email message or from a website to a local storage device. If a remote attacker persuades a user to preview a

malicious file, the attacker could execute arbitrary code within the context of the victim and gain complete control over

the targeted system. This vulnerability can also be exploited by directing the user to an attacker controlled SMB share,

the user will then need to select the file in order to activate the exploit. Administrators are advised to install patches

provided by Microsoft. This rule hits when normal, Microsoft , Word attack pattern sequence followed with javascript

found as background towards the destination port 445.

Signature ID: 21007

Microsoft Windows Color Management Module ICC Profile Buffer Overflow Vulnerability

Threat Level: Severe

Industry ID: CVE-2005-1219 Bugtraq: 14214 Nessus: 18681

Signature Description: The Microsoft Color Management Module provides consistent color management operations

between applications and devices and transforms between colorspaces such as 'RGB' and 'CMYK'. The International

Color Consortium (ICC) is an organization whose purpose is to provide a standard by which vendors can implement

color management to ensure cross vendor compatibility. Microsoft implements the ICC specification in its color

management modules icm32.dll and mscms.dll. Microsoft Windows Color Management Module is prone to a buffer-

overflow vulnerability that can be triggered when these DLLs decode certain ICC color tags. An ICC profile have a

profile header of 128 bytes which provides the necessary information to allow a receiving system to properly search

and sort ICC profiles. Tags and tag data provide the necessary information to do the job assigned for an ICC profile. By

specifying large tag data, buffer overflow can be triggered when the Color Management Module processes this tag.An

attacker could exploit this vulnerability by posting a malicious document on a website, by sending malicious content

via email, or through other means. Most of the Windows XP, 2003 and 2000 are vulnerable.

Signature ID: 21008