PDA

View Full Version : SmartDefense Update CPAI-2006-033 / CVE-2006-1359



runcmd
2006-03-27, 12:32
I've noticed that CheckPoint has indicated that some performance degradation may occur (depending upon traffic types) after enabling this protection. Has anyone noticed any adverse effects after enabling? Thanks!


Reference:

CheckPoint: Protection Against Microsoft Internet Explorer createTextRange () Vulnerability
http://www.checkpoint.com/defense/advisories/public/2006/cpai-27-Mar.html

Microsoft Security Advisory (917077)
http://www.microsoft.com/technet/security/advisory/917077.mspx

CVE: Common Vulnerabilities and Exposures
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359

McAfee: Exploit-CreateTxtRng
http://vil.mcafeesecurity.com/vil/content/v_139047.htm

Sergej
2006-03-28, 15:09
Cisco is blaming CheckPoint in competitive cheat sheet in low performance. As far as i remember Cisco states that Checkpoint with SmartDefence enabled can do only 4Mbps of "real world traffic" (this is the traffic mixture Cisco with a help of third part consultants discover and use for simulations and tests) on a maximum equipped hardware!!! Cisco using this numbers aggresivly. For me this is unbelievable.
Checkpoint is stating that all protocol inspections (e.g. HTTP inspection for example) are moved from Security Servers to the kernel and are "very fast". But I think such complex inspections cam move this inspections back to the Security Servers :|

We have done in home performance testing some time ago. We have used eval version of the Ixia traffic generator. We have found no difference between to hosts routed over Cisco Catalyst 3550 Switch and the same hosts routed over CheckPoint NGX SPLAT (near Gig performance). Undoubtedly our test environment and traffic patterns was pretty simple.

runcmd
2006-03-28, 16:05
Follow up:

After enabling this update, our external Outlook Web Access (OWA) users began complaining that they could no longer open emails. The list of messages appears and, after double-clicking on a particular email, the new window opens but the message never displays. We are running Exchange 2003. SmartView Tracker shows the traffic being dropped by SmartDefense and cites rule number 99812. Has anyone else experienced this problem?

Also, I've noticed difficulty in posting to some forums on the Internet when this was enabled, but I didn't track the traffic to verify it was being dropped by the same rule number.

Thanks!

kva.kva
2006-03-29, 02:52
may be with will bw helpful
https://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?id=sk26226

"Strange rule numbers appear when enabling SmartDefense protections (i.e., 99500, 99520, 99801, etc.)."

I didn't see you number in this article. But it exists next

99810
Microsoft Internet Explorer - Detected COM Object (MS05-054) Vulnerability

runcmd
2006-04-02, 18:17
After enabling this update, our external Outlook Web Access (OWA) users began complaining that they could no longer open emails.

I opened a case with support. Apparently, they're aware of the issue with Outlook Web Access and this SmartDefense update, and are working on it. The current solution appears to be disabling this new feature. I'll post an update when I receive a follow up on my open case. Thanks.

runcmd
2006-04-18, 12:29
Although I have not yet received an update on my CheckPoint case, Microsoft has issued KB912812 to address the "Internet Explorer createTextRange () Vulnerability". The bad news: Microsoft released this as a cumulative security update, which includes the changes made by KB912945. This is the patch that adversely affects ActiveX. The quasi-good news is: Microsoft has granted a temporary "reprieve" on these ActiveX changes with the release of KB917425, which reverses the change made by KB912945--but only until sometime in June.


Summary:
KB912945 - ActiveX Changes
KB912812 - Addresses "Internet Explorer createTextRange () Vulnerability", as well as others. Also includes the ActiveX changes of KB912945.
KB917425 - Temporarily reverses ActiveX changes of KB912945/KB912812


Reference:
Microsoft Security Bulletin MS06-013
http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx

MS06-013: Cumulative security update for Internet Explorer
http://support.microsoft.com/?kbid=912812

Internet Explorer ActiveX update
http://support.microsoft.com/kb/912945

Internet Explorer ActiveX compatibility patch for Mshtml.dll
http://support.microsoft.com/kb/917425/