Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Portable Executable (PE) 16-bit File

Subscribe

Check Point Reference: CPAI-2011-124
Date Published:
Severity:
Source: Microsoft Security Bulletin MS11-077
Industry Reference(s): CVE-2011-2003
Protection Provided by: IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Windows XP SP3
Windows Vista SP2
Windows 7 SP1
Windows Server 2003 SP2
Windows Server 2008 R2
Vulnerability Description
A buffer overflow vulnerability has been reported in Microsoft Windows kernel.
Update/Patch Available
MS11-077
Vulnerability Details
The vulnerability is due to insufficient data validation when processing specially crafted legacy font files (.fon). A remote attacker may exploit this vulnerability by enticing an unsuspecting user to open a malicious font file from a WebDAV or an SMB share. Successful exploitation may allow an attacker to take complete control of an affected system.

Protection Overview
The protection will block the transfer of NE-format MZ executable files across HTTP, IRC, SMTP and FTP.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 NGX R65 & IPS-1

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Microsoft .NET CLI PE Header Memory Corruption protection group.
3. Click Portable Executable (PE) 16-bit File.
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Microsoft PE Executable Source
Description: Portable Executable (PE) 16-bit File