Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Adobe Reader Download Manager ActiveX Control Buffer Overflow Vulnerability (APSB10-02)

Subscribe

Check Point Reference: CPAI-2010-009
Date Published:
Preemptive Since:
Severity:
Last Updated:
Source: Adobe Security Bulletin - APSB10-02
Industry Reference(s): CVE-2009-3958
Protection Provided by: Security Gateway
  • R75
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
Who is Vulnerable?
Adobe Reader 9.2 and earlier versions for Windows, Macintosh, and UNIX
Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh
Vulnerability Description
A remote code execution vulnerability has been discovered in Adobe Reader and Acrobat NOS Microsystems getPlus+ ActiveX Control. A remote attacker could implant a shell code on a target system using heap spray exploitation method. Heap spraying is a technique for exploiting vulnerabilities in internet browsers (e.g. Internet Explorer, Firefox). Successful exploitation allows execution of arbitrary code on a vulnerable system.
Update/Patch Available
Update patches:
Adobe Security Bulletin - APSB10-02
Vulnerability Details
The vulnerability is due to the Adobe Reader and Acrobat NOS Microsystems getPlus+ ActiveX Control. A remote attacker may exploit this issue by specially crafting a Web page that will trigger the vulnerability. Successful exploitation of this issue will create a denial of service condition, causing the application to become non-responsive, and may allow execution of arbitrary code on a vulnerable system.

Protection Overview
This protection will detect and block a large number of known shell code exploits.

Users are protected against this vulnerability if the protection for blocking known shell codes in the Protection section of SBP-2006-12 has been applied.

In order for the protection to be activated, update your Security Gateway: R75 product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05Protection taband select the version of your choice. 

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Web Intelligence > HTTP Client Protections Microsoft Internet Explorer Vulnerabilities.
2. In the right pane, double-click the Adobe Download Manager getPlus ActiveX Control Buffer Overflow (APSB10-02) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Adobe Download Manager getPlus ActiveX Control Buffer Overflow (APSB10-02)

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. In the right pane, double-click the Internet Explorer Heap Spray Shell Code Execution (MS06-055 MS06-067) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Internet Explorer Heap Spray shell code execution (MS06-055 MS06-067)

VPN-1 NGX R65 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities > Block Heap Spray Remote Shell Code Execution.
2. In the Block Heap Spray configuration pane, under Block Heap Spray Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Web Client Enforcement Violation
Attack Information: Heap spray remote shell code execution