Insecure Library Loading Vulnerability in Microsoft Word
( Microsoft Security Bulletin MS11-023, CVE-2011-0107 ) The vulnerability is caused when Microsoft Word incorrectly restricts the path used for loading external libraries. Successful exploitation of this vulnerability could allow the attacker to take complete control of a targeted system. Learn More .
Critical Integer Overflow Vulnerability in Microsoft's GDI+ Image Processing API
( MS11-029, CVE-2011-0041 ) An integer overflow vulnerability has been discovered in the way that the GDI+ application programming interface handles integer calculations. A remote attacker who successfully exploits this vulnerability could take complete control of an affected system. Learn More .
Check Point Provides Preemptive Protection Against SQL Injection Attacks
An SQL code injection attack known as LizaMoon has infected over a million websites as of the end of March 2011. It attempts to convince a user to install malware that is disguised as a virus remover. Learn More .
In This AdvisoryApril 12, 2011
Insecure Library Loading Vulnerability in Microsoft Word•
Critical Integer Overflow Vulnerability in Microsoft's GDI+ Image Processing API•
Check Point Provides Preemptive Protection Against SQL Injection Attacks•
APT Discussion with Tomer Teller, Check Point Security Evangelist•
Including Patch Tuesday•
Best Practice: APT Discussion with Tomer Teller, Check Point Security Evangelist
Ravit Greister, a Check Point security engineer, sat down with security evangelist Tomer Teller to chat about a buzzword that's been in the press lately, largely as a result of the recent RSA SecurID intellectual property breach.
What is APT?
Advanced Persistent Threat is a fancy and a somewhat misleading way of saying that a person or an organization has been specifically targeted by a malicious entity - typically a group of sophisticated, determined attackers that conducts a campaign of intellectual property theft and seeks to compromise government and commercial computer networks.
Can you provide us with a quick anatomy of an APT operation?
1. Perform Reconnaissance on the target. The first thing in an APT attack is to seek publicly available information about specific employees. To this end, social media sites such as LinkedIn, Facebook and search engines such as Google are always favorites.
2. Initial Intrusion. With information gained from social media sites about a specific person, the attackers can then send that user a Spear Phishing email – i.e. a target-specific message that attempts to convince the target to divulge information. Often the email uses target-relevant content; for instance, if the target is in the finance department, it might talk about some advice on regulatory controls.
3. Gain backdoor entrance. The next step in a typical APT is to install some sort of a Remote Administration Tool (RAT) that allows the attacker to control the machine. In the RSA attack for example, the tool used was a variant of the commercially-available "PoisonIvy" backdoor Trojan malware module.
4. Gain further access. Having set remote access, the attacker will start stealing usernames and password hashes, and also search for user accounts with higher privileges.
5. Perform Data Exfiltration. The attacker would now attempt to send compromised data in an encrypted and compressed manner through “staging servers” back to the attacker. (“Exfiltration” is the term used to describe getting data out of a location, rather than trying to infiltrate it.)
6. Grow roots. Last, the attacker will install more RATs and may send updates to the malware to improve its ability to stay under the radar.
Could you give us examples of recently launched APTs?
Note that with the majority of APT attacks, the attackers use unpatched zero-day vulnerabilities to install malware. For example, in RSA's case, the specially crafted file that was used to trick the employee contained a zero-day exploit that installs a backdoor using an Adobe Flash executable embedded in a Microsoft Excel spreadsheet. Stuxnet manipulated 4 different Microsoft zero-day vulnerabilities - you can read more about this very sophisticated malware attack here and here.
- Google was hit by an APT known as Operation Aurora
- RSA was hit by an APT in March, which has resulted in the possible compromise of their SecurID hardware security token technology
- The Stuxnet Worm is a great example of an ongoing APT
How can Check Point mitigate APT attacks?
The 6 steps I mentioned above in the attack anatomy can be roughly grouped into 3 categories: The Human Factor, Company Policy and Enforcement.
By generating security awareness inside the company amongst new and veteran employees, the initial intrusion that APTs attempt to use can be avoided. Spear phishing awareness training, for example, can be useful here. But we cannot always be certain that everyone passes a security awareness seminar and is always updated with the most recent security trends. An organization must have a defined and customized policy that is tailored to the needs of that specific business.For example: A financial company should not allow employees to open non-allowed email, send restricted documents etc. This can greatly help in blocking further access inside the organization. To protect data exfiltration, a company must have in-depth layered security and layered enforcement which includes IPS, firewall and DLP technologies. If we look at all the above this is exactly where Check Point’s 3D security kicks in.
» Highlighted Protections
This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.
CriticalSeverityVulnerability DescriptionCheck Point Protection
IssuedIndustry ReferenceCheck Point Reference
Microsoft GDI+ EMF Image Processing Integer Overflow
Microsoft OpenType CFF Driver Font Data Stack Overflow
Microsoft CIFS Browser Protocol Pool Corruption
Microsoft SMB Crafted Write Request Remote Code Execution
Microsoft Internet Explorer Layouts Handling Memory Corruption
Microsoft Internet Explorer Object Lifetime Management Memory Corruption
Fraudulent Comodo Certificates HTTPS Spoofing
Mass SQL Injection LizaMoon Attack
More Updates >
Have questions about IPS?
Participate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?
» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its NGX products through SmartDefense subscriptions, and to Check Point Software Blades products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point's global Research and Response Centers. For more information, visit www.CheckPoint.com.