Update Protection against Microsoft Windows Movie Maker Insecure Library Loading Vulnerability (MS10-093)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-341
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS10-093
Industry Reference(s):	CVE-2010-3967
Protection Provided by:	Security Gateway R71 R70 VPN-1 NGX R65 VSX NGX R65 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Windows Movie Maker 2.6 when installed on Windows Vista SP1 and Windows Vista SP2 Windows Movie Maker 2.6 when installed on Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2
Vulnerability Description A remote code execution vulnerability has been reported in the way that Windows Movie Maker handles the loading of DLL files. Windows Movie Maker is an application that allows users to create, edit, and add special effects to home movies. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system.

Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-093

Vulnerability Details
The vulnerability is caused when the Windows Movie Maker incorrectly restricts the path used for loading external libraries. A remote attacker may exploit this issue by convincing a user to open a legitimate Windows Movie Maker (.mswmm) file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the .mswmm file, Windows Movie Maker could attempt to load the DLL file and execute any code it contained. Successful exploitation of this vulnerability could allow the attacker to run arbitrary code on an affected system.

Protection Overview
This protection will detect and block the transferring of suspicious DLL files over CIFS.

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Microsoft Networks.
2. In the right pane, double-click the following protection:

Microsoft Windows Movie Maker Insecure Library Loading (MS10-093)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Windows SMB Protection Violation
Attack Information: Microsoft Windows Movie Maker insecure library loading (MS10-093)

VPN-1 NGX R65 & VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Microsoft Windows Movie Maker Insecure Library Loading (MS10-093).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Filename Recorder protection group
3. Click Microsoft Windows Movie Maker Insecure Library Loading (MS10-093) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: BADFILENAME
Description: Microsoft Windows Movie Maker Insecure Library Loading (MS10-093)

Legal Notice for Threat Center Advisories