SmartDefense Security Advisory

Microsoft Windows AVI File Data Validation Integer Overflow Vulnerability (MS09-038)

Industry Reference:CVE-2009-1546.

A remote code execution vulnerability has been discovered in the way Microsoft Windows handles specially crafted AVI format files. Audio Video Interleave (AVI) is a special case of Resource Interchange File Format (RIFF). This file type is used with applications that capture, edit, and play back audio-video sequences. A remote attacker could exploit this issue via a malformed AVI file. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system. This protection will detect and block the transferring of malformed AVI files over HTTP.

IPS-1 & IPS-1 NGX R65: Preemptive protection is provided by this product.
Security Gateway R70: A protection was released in a previous update.
VPN-1 NGX R65 & VSX NGX R65: A protection was released in a previous update.
CPAI-2009-151.

Microsoft Windows AVI Processing Malformed Header Remote Code Execution Vulnerability (MS09-038)

Industry Reference:CVE-2009-1545.

A remote code execution vulnerability has been discovered in the way Microsoft Windows handles specially crafted AVI format files. Audio Video Interleave (AVI) is a special case of Resource Interchange File Format (RIFF). This file type is used with applications that capture, edit, and play back audio-video sequences. A remote attacker could exploit this issue via a malformed AVI file. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system. This protection will detect and block the transferring of malformed AVI files over HTTP.

IPS-1 & IPS-1 NGX R65: A new protection is now available.
Security Gateway R70: A protection was released in a previous update.
VPN-1 NGX R65 & VSX NGX R65: A protection was released in a previous update.
CPAI-2009-149.

Microsoft WINS Buffer Length Heap Overflow Vulnerability (MS09-039)

Industry Reference:CVE-2009-1923.

A remote code execution vulnerability has been discovered in Microsoft WINS. Windows Internet Naming Service (WINS) was designed specifically to support NetBIOS over TCP/IP (NetBT), and is required for any environment in which users access resources that have NetBIOS names. A remote attacker can exploit this vulnerability to take complete control over an affected system. This protection will detect and block malformed WINS network packets.

IPS-1 & IPS-1 NGX R65: A new protection is now available.
Security Gateway R70: A protection was released in a previous update.
VPN-1 NGX R65 & VSX NGX R65: A protection was released in a previous update.
CPAI-2009-145.

Microsoft Windows Workstation Service NetrGetJoinInformation Routine Memory Corruption Vulnerability (MS09-041)

Industry Reference:CVE-2009-1544.

An elevation of privilege vulnerability has been reported in the Microsoft Windows Workstation Service. Microsoft Windows Workstation Service routes local file system requests and remote file or print network requests via Remote Procedure Call (RPC). RPC is a protocol that a program can use to request a service from another program which is located on another computer in a network. An attacker may exploit this issue to run arbitrary code with elevated privileges on an affected system. This protection will detect and block malformed RPC requests sent to the vulnerable service.

IPS-1 & IPS-1 NGX R65: A new protection is now available.
Security Gateway R70: A protection was released in a previous update.
VPN-1 NGX R65 & VSX NGX R65: A protection was released in a previous update.
CPAI-2009-155.

Microsoft Windows Telnet Services Credential Reflection Code Execution Vulnerability (MS09-042)

Industry Reference:CVE-2009-1930.

A remote code execution vulnerability has been reported in the way Microsoft Windows Telnet Service handles NTLM credentials. Telnet is a bidirectional communications protocol that allows for command line remote administration over the TCP protocol. The vulnerability allows a remote attacker to replay the user's credentials back to them, creating a reflection attack, and enabling execution of arbitrary code in the context of the logged-on user. This protection will detect and block attempts to reflect NTLM credentials via the Telnet protocol.

IPS-1 & IPS-1 NGX R65: A new protection is now available.
Security Gateway R70: A protection was released in a previous update.
VPN-1 NGX R65 & VSX NGX R65: A protection was released in a previous update.
CPAI-2009-159.

Microsoft Remote Desktop Client Connection ActiveX Heap Overflow Vulnerability (MS09-044)

Industry Reference:CVE-2009-1929.

A remote code execution vulnerability has been reported in the Microsoft Terminal Services Client ActiveX control. The Microsoft Remote Desktop Protocol (RDP) provides remote display and input capabilities over network connections for Microsoft Windows-based applications running on a server. The Remote Desktop Web Connection ActiveX control allows accessing a computer, via the Internet, from another computer using Internet Explorer. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page. Successful exploitation could result in execution of arbitrary code on the affected system. This protection will detect and block attempts to exploit this vulnerability.

IPS-1 & IPS-1 NGX R65: A new protection is now available.
Security Gateway R70: A protection was released in a previous update.
VPN-1 NGX R65 & VSX NGX R65: A protection was released in a previous update.
CPAI-2009-131.

Security Best Practice: Protect Yourself from Invalid IIS ASP.Net URI Character Requests

Industry Reference:CVE-2009-1536.

A denial of service vulnerability has been reported in ASP.NET. ASP.NET is a collection of technologies within the.NET Framework that enable developers to build Web applications and XML Web Services. A remote attacker may exploit this issue to cause a vulnerable server to become non-responsive. This protection will detect and block IIS ASP.Net requests with invalid characters in the URI.

IPS-1 & IPS-1 NGX R65: A new protection is now available.
Security Gateway R70: A protection was released in a previous update.
VPN-1 NGX R65 & VSX NGX R65: A protection was released in a previous update.
SBP-2009-15.

Squid HTTP Data Processing Remote Denial of Service Vulnerability

A denial of service vulnerability exists in the way Squid handles HTTP requests and responses. The Squid proxy server is a popular open source, Internet proxy and web caching application. The vulnerability is due to a boundary error when handling malformed HTTP requests/responses. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request/response packet to an affected system. This protection will detect and block HTTP responses with invalid response codes.

IPS-1 & IPS-1 NGX R65: A new protection is now available.
CPAI-2009-227.

Oracle BEA Weblogic Server console-help.portal Cross-Site Scripting Vulnerability

Industry Reference:CVE-2009-1975.

A cross-site scripting vulnerability was reported in BEA Weblogic Server. BEA WebLogic Server is an enterprise-class Java Application Server platform. WebLogic is typically used as the platform for large enterprise web applications. The vulnerability is due to lack of sanitization of input passed to console-help.portal pages before being returned to the user. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary HTML or script code on the client system. This protection will detect and block attempts to exploit this vulnerability.

IPS-1 & IPS-1 NGX R65: A protection was released in a previous update.
Security Gateway R70: A new protection is now available.
VPN-1 NGX R65 & VSX NGX R65: A new protection is now available.
CPAI-2009-211.

Oracle Database Secure Enterprise Search Cross Site Scripting Vulnerability

Industry Reference:CVE-2009-1968.

Oracle Database Secure Enterprise Search contains a flaw that allows a remote cross site scripting attack. Oracle Secure Enterprise Search (SES), a standalone product from Oracle, enables a secure, high quality search across all enterprise information assets. This flaw exists because the application does not validate the search_p_groups parameter upon submission to the /search/query/search script. A remote attacker could create a specially crafted URL to execute arbitrary code in a user's browser, leading to a loss of integrity. This protection will block attempts to exploit this vulnerability.

IPS-1 & IPS-1 NGX R65: A protection was released in a previous update.
Security Gateway R70: A new protection is now available.
VPN-1 NGX R65 & VSX NGX R65: A new protection is now available.
CPAI-2009-223.

Mozilla Network Security Services and Firefox Common Name Security Bypass

Industry Reference:CVE-2009-2408.

A security bypass vulnerability has been reported in Mozilla Network Security Services (NSS) and Firefox. Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Firefox is a popular, open source web browser developed by Mozilla Foundation. A remote attacker could exploit this flaw to execute a man-in-the-middle attack on the vulnerable system. This protection will detect and block NULL prefix found in SSL certificates.

Security Gateway R70: A new protection is now available.
VPN-1 NGX R65 & VSX NGX R65: A new protection is now available.
CPAI-2009-129.

Recent Malware Threats (19-Aug-09)

Malware is a software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general name for a variety of forms of hostile, intrusive, or annoying programs like Viruses, worms, Adware, Trojans, and spyware that exploit unprotected clients, using network access to intrude upon organizations, destroying or stealing data. IPS will detect and block the malware based on predefined signatures. The update includes 12 new protections against recent malware threats.

CPAI-2009-161.

Adobe JRun 4.0 Directory Traversal File Read Vulnerability (APSB09-12)

Industry Reference:CVE-2009-1873.

A directory traversal vulnerability was reported in the Adobe Systems JRun. JRun is an application server based on Java 2 Platform, Enterprise Edition (J2EE). It works with popular Web servers including Apache and IIS. This vulnerability allows an attacker to access normally-inaccessible files and directories through a specially-created HTTP request. Instead of having access only to the publically-available files, the attacker can have access to all files on that server using this vulnerability. By enabling this protection, SmartDefense will detect and block malformed HTTP requests sent to the vulnerable server. No update is required to address this vulnerability.

Security Gateway R70: Preemptive protection is provided by this product.
VPN-1 NGX R65 & VSX NGX R65: Preemptive protection is provided by this product.
CPAI-2009-163.

 August 19, 2009

IPS Software Blade

Buy Now

Guidelines

Forums

SmartDefense Microsoft Security Resources
You have received this notification because you have subscribed to the SmartDefense mailing list. If you would prefer to no longer receive security alerts and defense notifications please click to Unsubscribe

As always, please feel free to contact us directly if you have any comments or questions.

Read Check Point's Privacy Policy
©2003.2009 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved.
800 Bridge Parkway, Redwood City, CA USA 94065