Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Symantec Mail Security KeyView Excel File SST Parsing Integer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2009-233
Date Published:
Severity:
Source: Secunia Advisory: 36472
Industry Reference(s): CVE-2009-3037
Protection Provided by: Security Gateway
  • R70
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Symantec Brightmail Appliance 8.0.x prior to 8.0.2
Symantec Data Loss Prevention Endpoint Agents 8.1.x prior to 8.1.10.2
Symantec Data Loss Prevention Endpoint Agents 9.0.x prior to 9.0.18.9
Symantec Data Loss Prevention Enforce/Detection Servers 7.2.x prior to 7.2.0.40
Symantec Data Loss Prevention Enforce/Detection Servers 8.1.x prior to 8.1.10.1
Symantec Data Loss Prevention Enforce/Detection Servers 9.0.x prior to 9.0.18.5
Symantec Mail Security for Domino 7.5.x prior to 7.5.7
Symantec Mail Security for Domino 8.0.x prior to 8.0.1
Symantec Mail Security for Microsoft Exchange 5.0.x prior to 5.0.13
Symantec Mail Security for Microsoft Exchange 6.0.x prior to 6.0.9
Symantec Mail Security for SMTP 5.0.x prior to patch level 205

IBM Lotus Notes 5.x
IBM Lotus Notes 6.x
IBM Lotus Notes 7.x
IBM Lotus Notes 8.0.x
IBM Lotus Notes 8.5.x
Vulnerability Description
An integer overflow vulnerability exists in multiple products using Autonomy KeyView SDK (File Viewer for Excel). A remote attacker could exploit this vulnerability by enticing the target user to open or view a malicious Excel file with the vulnerable version of the product. Successful exploitation could result in execution of arbitrary code.
Update/Patch Available
No patch has been available from Symantec at the time of writing.
IBM has released an advisory: IBM
Vulnerability Details
The vulnerability is due to an error when parsing a Shared String Table (SST) record inside of an Excel file. Remote attackers can exploit this vulnerability by enticing a target user to open or view a malicious Excel file with the vulnerable version of the product.

Protection Overview
This protection will detect and block the transferring of malformed Excel files over HTTP.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Content Protection.
2. In the right pane, double-click the Microsoft Excel SST Record Integer Overflow (MS09-021) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: Content Protection Violation
Attack Information: Microsoft Excel SST record integer overflow (MS09-021)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Microsoft Office Parser protection group.
3. Click CVE-2009-0561 Microsoft Excel Record Integer Overflow (MS09-021) - (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Vulnerability in MS-Office file
Description: CVE-2009-0561 Microsoft Excel Record Integer Overflow (MS09-021)