»Top Protections

Microsoft SMB Client Vulnerabilities
( MS10-020)

Several critical vulnerabilities have been identified in Microsoft Server Message Block (SMB), a network file sharing protocol. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. One, CVE-2009-3676, has been public for five months and was the first confirmed zero-day vulnerability in Windows 7. See Microsoft Security Advisory 977544. Check Point has provided immediate protection for this vulnerability since November 17, 2009 and provides immediate protection against exploits that use these vulnerabilities through its integrated IPS offerings. More information.

Multiple Browser Vulnerabilities
(Internet Explorer MS10-018, Firefox Security Advisories, Safari CVE-2009-3271)

Exploitation of browser vulnerabilities is a favorite attack vector and browser vendors have been trying to keep up with security updates. On March 30th Microsoft released an out-of-band security update for Internet Explorer that fixed 10 Critical vulnerabilities. Check Point provided protections for all 10. In addition Check Point IPS-1 provides protections against 7 Firefox exploits, 3 that were Critical, and an immediate protection against an up-patched Safari exploit. More information.

Blocking Null Prefix in DNS MX Records
(MS10-024, CVE-2010-0024)

A denial of service vulnerability has been reported in the way that Microsoft Windows Simple Mail Transfer Protocol (SMTP) component handles specially crafted DNS Mail Exchanger (MX) resource records. A remote attacker may trigger this vulnerability via a specially crafted DNS request with a null prefix in the MX record. Successful exploitation of this issue could cause the affected system to stop accepting requests. Check Point provides immediate protection against this exploit through its integrated IPS offerings; SmartDefense and the IPS Software Blade. More information.
April 13, 2010
In This Advisory» Top ProtectionsMicrosoft SMB Client VulnerabilitiesMultiple Browser VulnerabilitiesBlocking Null Prefix in DNS MX Records» Deployment TipUse IPS Event Analysis Maps to Create a Geo Protection Policy» Highlighted ProtectionsIncluding Patch Tuesday

Deployment Tip
Best Practice: Defining Exceptions to SmartEvent IPS Events
SmartEvent turns security information into action with real-time security event correlation and management for Check Point security gateways and third-party devices. Security events are analyzed, correlated, assigned severity levels, and invoke automatic reactions based upon the Events Policy.

Severity levels prioritize security threats in pre-defined timelines, queries, reports, and graphs. If you identify an event that is clearly not a threat, you can tailor the Events Policy by creating Event Exceptions, reducing the severity level as needed. Conversely to respond faster to a real threat you may want to add an Automatic Reaction like sending an email notification using an Event Exception.

Exceptions can be added either in the Policy tab or by right-clicking on an existing IPS event and selecting Add exception to event definition.

To define an exception via the Events tab:
  1. In the Events tab, right-click on an event and select Add exception to event definition.
  2. The Exception to event definition appears with the fields pre-populated from that event. Modify the Severity and Reaction as needed and click OK.
  3. Install the policy.
» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

SeverityVulnerability DescriptionCheck Point Protection
Industry ReferenceCheck Point Reference
CriticalMicrosoft Windows SMB Endless Loop Denial of Service 16-Nov-09MS10-020
Security Advisory 977544CPAI-2009-296CriticalMicrosoft Windows SMB Client Memory Allocation Memory Corruption13-Apr-10MS10-020
CVE-2010-0269CPAI-2010-064CriticalMicrosoft Windows SMB Client Transaction Memory Corruption13-Apr-10MS10-020
CVE-2010-0270CPAI-2010-065CriticalMicrosoft Windows SMB Client Response Parsing Memory Corruption 13-Apr-10MS10-020
CVE-2010-0476CPAI-2010-061CriticalMicrosoft Windows SMB Client Message Size Remote Code Execution 13-Apr-10MS10-020
CVE-2010-0477CPAI-2010-063CriticalMicrosoft Windows MPEG Layer-3 Audio Decoder AVI File Stack Overflow 13-Apr-10MS10-026
CVE-2010-0480CPAI-2010-060CriticalMicrosoft windows VBScript MsgBox Call with Malicious HLP File 02-Mar-10MS10-020
Security Advisory 981169CPAI-2010-049CriticalMicrosoft Windows Internet Explorer iepeers.dll Remote Code Execution*01-Apr-10MS10-018
CVE-2010-0806CPAI-2010-044CriticalMicrosoft Windows DOM Operation HTML Object Memory Corruption01-Apr-10MS10-018
CVE-2010-0491CPAI-2010-054CriticalMicrosoft Windows Internet Explorer CSS HTML Object Memory Corruption01-Apr-10MS10-018
CVE-2010-0492CPAI-2010-055CriticalMicrosoft Windows Internet Explorer HTML CSS Tag Rendering Memory Corruption 01-Apr-10MS10-018
CVE-2010-0807CPAI-2010-058CriticalMicrosoft Windows Internet Explorer Element Cross-Domain Information Disclosure 01-Apr-10MS10-018
CVE-2010-0494CPAI-2010-056CriticalMicrosoft Windows Media Player ActiveX Codec Retrieval Vulnerability 13-Apr-10MS10-027
CVE-2010-0268SBP-2010-15CriticalMicrosoft Windows Media Services Stack-based Buffer Overflow 13-Apr-10MS10-025
CVE-2010-0478CPAI-2010-062CriticalPKCS11 Module Installation Code Execution25-Mar-10CVE-2009-3076CPAI-2010-116CriticalMozilla Firefox Top-level Script Object Offset Calculation Memory Corruption25-Mar-10CVE-2009-3073CPAI-2010-117CriticalMozilla Firefox Browser Engine Memory Corruption25-Mar-10CVE-2009-3382CPAI-2010-113HighBlocking Null Prefix in DNS MX Records13-Apr-10MS10-024
More Updates > Have questions about IPS?
Participate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.Know someone who should be getting the Advisories?

» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its R65 products through SmartDefense Services, and to Check Point R70 products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point’s global Research and Response Centers. For more information, visit www.CheckPoint.com.
Read Check Point's Privacy Policy
©2003-2010 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. 800 Bridge Parkway, Redwood City, CA USA 94065