»Top Protections
DLL Search Path Vulnerabilities in Microsoft Windows Applications
( MS10-096, MS10-093, MS10-097, MS10-094, MS10-095, CVE-2010-3147, CVE-2010-3967, CVE-2010-3144, CVE-2010-3965, CVE-2010-3966 )

Microsoft has identified additional Microsoft Windows applications that are vulnerable to "binary planting" or "DLL preloading attack" exploits that were initially reported in Security Advisory 2269637. Microsoft Office was patched earlier, as described in MS10-087. Successful exploitation of this vulnerability in these applications may allow execution of arbitrary code on a target system. Check Point IPS Software Blade, IPS-1, and NGX SmartDefense provide network protection in the latest IPS update by detecting and blocking suspicious DLL files over CIFS. Learn More .

Microsoft Office Graphics Filters Could Allow Remote Code Execution
( MS10-105, CVE-2010-3945, CVE-2010-3946, CVE-2010-3951, CVE-2010-3952 )

Four remote code execution vulnerabilities have been discovered in Microsoft Office when handling CGM, PICT, and FlashPix images. A remote attacker could exploit these issues by crafting malformed images and embedding them in an Office document file, and convincing a user to open that file. Successful exploitation of any of these vulnerabilities may allow execution of arbitrary code on a target system. Check Point IPS Software Blade, IPS-1, and NGX SmartDefense provide network protection in the latest IPS update by detecting and blocking malformed CGM, PICT, and FPX images over HTTP. Learn More .

MS Task Scheduler Vulnerability Used by Stuxnet Worm To Obtain Administrator System Privileges
( MS10-092, CVE-2010-3888 )

The Stuxnet worm, which has received extensive media coverage over the last few months, is one of the most sophisticated malware programs ever created. It uses a number of vulnerabilities in Microsoft Windows, some of which were unreported prior to the Stuxnet outbreak. One of those vulnerabilities is in the Windows Task Scheduler. Stuxnet exploits this issue in order to gain elevated system privileges on the system(s) under attack, ultimately resulting in Administrator privileges on the targeted system. Check Point recommends applying the patch for this issue as detailed in MS10-092 as soon as is practical. Learn More .

December 14, 2010
In This Advisory
Top Protections
•
DLL Search Path Vulnerabilities in Microsoft Windows Applications
•
Microsoft Office Graphics Filters Could Allow Remote Code Execution
•
MS Task Scheduler Vulnerability Used by Stuxnet Worm To Obtain Administrator System Privileges
Deployment Tip
•
How Check Point Defeats IPS Evasion Attempts
Highlighted Protections
•
Including Patch Tuesday









Deployment Tip
Best Practice: How Check Point Defeats IPS Evasion Attempts
Hackers constantly try to avoid detection by IPS systems by changing various aspects of the traffic to make it more difficult to detect. They use various methods, including
  • fragmenting the IP packets
  • segmenting the TCP stream
  • fragmenting RPC traffic
  • manipulation of the SMB protocol
  • alterations in endianity
  • encoding parts of the stream in various ways
The Check Point IPS engines try to mimic the packet destination behavior when analyzing it, in order to detect and block all evasion methods. Also, the Check Point IPS protections are layered in a way that all such attempts are detected by the underlying engines and resolved before searching for the actual vulnerability. This way, the IPS protections are in most cases indifferent to evasion attempts.
» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity
Vulnerability Description
Check Point Protection
Issued
Industry Reference
Check Point Reference
Number
Critical
Microsoft Internet Explorer HTML Object use after free Memory Corruption
14-Dec-10
CVE-2010-3340
MS10-090

CPAI-2010-332
Critical
Microsoft Internet Explorer 6 HTML Object Memory Corruption
14-Dec-10
CVE-2010-3343
MS10-090

CPAI-2010-331
Critical
Microsoft Office Publisher pubconv.dll Size Value Heap Corruption
14-Dec-10
CVE-2010-2569
MS10-103

CPAI-2010-322
Critical
Microsoft OpenType Font Format Driver Index Code Execution
14-Dec-10
CVE-2010-3956
MS10-091

CPAI-2010-321
Critical
Microsoft OpenType Font Format Driver CMAP Table Code Execution
14-Dec-10
CVE-2010-3959
MS10-091

CPAI-2010-333
Critical
Adobe Reader JavaScript printSeps Function Heap Corruption
16-Nov-10
CVE-2010-4091
APSB10-28

CPAI-2010-316
Critical
Adobe Flash Player DLL Loading Code Execution
16-Nov-10
CVE-2010-3976
APSB10-26

CPAI-2010-314
High
Microsoft Windows Address Book Insecure Library Loading
14-Dec-10
CVE-2010-3147
MS10-096

CPAI-2010-340
High
Microsoft Windows Media Encoder Insecure Library Loading
14-Dec-10
CVE-2010-3965
MS10-094

CPAI-2010-343
High
Microsoft Internet Connection Signup Wizard Insecure DLL Loading
14-Dec-10
CVE-2010-3144
MS10-097

CPAI-2010-344
High
Microsoft Windows Movie Maker Insecure Library Loading
14-Dec-10
CVE-2010-3967
MS10-093

CPAI-2010-341
High
Microsoft Windows Netlogon RPC Null dereference Denial of Service
14-Dec-10
CVE-2010-2742
MS10-101

CPAI-2010-338
High
Microsoft Graphics Filters CGM Image Converter Buffer Overrun
14-Dec-10
CVE-2010-3945
MS10-105

CPAI-2010-337
High
Microsoft Graphics Filters PICT Image Converter Integer Overflow
14-Dec-10
CVE-2010-3946
MS10-105

CPAI-2010-336
High
Microsoft Graphics Filters FlashPix Converter Buffer Overflow
14-Dec-10
CVE-2010-3951
MS10-105

CPAI-2010-335
High
Microsoft Graphics Filters FlashPix Converter Heap Corruption
14-Dec-10
CVE-2010-3952
MS10-105

CPAI-2010-334
High
Microsoft SharePoint Malformed Request Remote Code Execution
14-Dec-10
CVE-2010-3964
MS10-104

CPAI-2010-339
High
Microsoft Graphics Filters TIFF Image Converter Buffer Overflow
14-Dec-10
CVE-2010-3949
CVE-2010-3950
MS10-105

CPAI-2010-328
High
Microsoft Internet Explorer Table Handling Memory Corruption
04-Nov-10
CVE-2010-3962
MS10-090

CPAI-2010-310

More Updates >

Have questions about IPS?
Participate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?
» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its NGX products through SmartDefense subscriptions, and to Check Point Software Blades products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point's global Research and Response Centers. For more information, visit www.CheckPoint.com.