»Top Protections
Insecure Library Loading Vulnerability in Microsoft Word
( Microsoft Security Bulletin MS11-023, CVE-2011-0107 ) The vulnerability is caused when Microsoft Word incorrectly restricts the path used for loading external libraries. Successful exploitation of this vulnerability could allow the attacker to take complete control of a targeted system. Learn More .

Critical Integer Overflow Vulnerability in Microsoft's GDI+ Image Processing API
( MS11-029, CVE-2011-0041 ) An integer overflow vulnerability has been discovered in the way that the GDI+ application programming interface handles integer calculations. A remote attacker who successfully exploits this vulnerability could take complete control of an affected system. Learn More .

Check Point Provides Preemptive Protection Against SQL Injection Attacks
An SQL code injection attack known as LizaMoon has infected over a million websites as of the end of March 2011. It attempts to convince a user to install malware that is disguised as a virus remover. Learn More .

April 12, 2011
In This Advisory
Top Protections
Insecure Library Loading Vulnerability in Microsoft Word
Critical Integer Overflow Vulnerability in Microsoft's GDI+ Image Processing API
Check Point Provides Preemptive Protection Against SQL Injection Attacks
Deployment Tip
APT Discussion with Tomer Teller, Check Point Security Evangelist
Highlighted Protections
Including Patch Tuesday
Deployment Tip
Best Practice: APT Discussion with Tomer Teller, Check Point Security Evangelist
Ravit Greister, a Check Point security engineer, sat down with security evangelist Tomer Teller to chat about a buzzword that's been in the press lately, largely as a result of the recent RSA SecurID intellectual property breach.

What is APT?

A
dvanced Persistent Threat is a fancy and a somewhat misleading way of saying that a person or an organization has been specifically targeted by a malicious entity - typically a group of sophisticated, determined attackers that conducts a campaign of intellectual property theft and seeks to compromise government and commercial computer networks.

Can you provide us with a quick anatomy of an APT operation?

1. Perform Reconnaissance on the target. The first thing in an APT attack is to seek publicly available information about specific employees. To this end, social media sites such as LinkedIn, Facebook and search engines such as Google are always favorites.
2. Initial Intrusion. With information gained from social media sites about a specific person, the attackers can then send that user a Spear Phishing email – i.e. a target-specific message that attempts to convince the target to divulge information. Often the email uses target-relevant content; for instance, if the target is in the finance department, it might talk about some advice on regulatory controls.
3. Gain backdoor entrance. The next step in a typical APT is to install some sort of a Remote Administration Tool (RAT) that allows the attacker to control the machine. In the RSA attack for example, the tool used was a variant of the commercially-available "PoisonIvy" backdoor Trojan malware module.
4. Gain further access. Having set remote access, the attacker will start stealing usernames and password hashes, and also search for user accounts with higher privileges.

5. Perform Data Exfiltration. The attacker would now attempt to send compromised data in an encrypted and compressed manner through “staging servers” back to the attacker. (“Exfiltration” is the term used to describe getting data out of a location, rather than trying to infiltrate it.)
6. Grow roots. Last, the attacker will install more RATs and may send updates to the malware to improve its ability to stay under the radar.
Could you give us examples of recently launched APTs?
  • Google was hit by an APT known as Operation Aurora
  • RSA was hit by an APT in March, which has resulted in the possible compromise of their SecurID hardware security token technology
  • The Stuxnet Worm is a great example of an ongoing APT
Note that with the majority of APT attacks, the attackers use unpatched zero-day vulnerabilities to install malware. For example, in RSA's case, the specially crafted file that was used to trick the employee contained a zero-day exploit that installs a backdoor using an Adobe Flash executable embedded in a Microsoft Excel spreadsheet. Stuxnet manipulated 4 different Microsoft zero-day vulnerabilities - you can read more about this very sophisticated malware attack here and here.
How can Check Point mitigate APT attacks?

The 6 steps I mentioned above in the attack anatomy can be roughly grouped into 3 categories: The Human Factor, Company Policy and Enforcement.

By generating security awareness inside the company amongst new and veteran employees, the initial intrusion that APTs attempt to use can be avoided. Spear phishing awareness training, for example, can be useful here. But we cannot always be certain that everyone passes a security awareness seminar and is always updated with the most recent security trends. An organization must have a defined and customized policy that is tailored to the needs of that specific business.For example: A financial company should not allow employees to open non-allowed email, send restricted documents etc. This can greatly help in blocking further access inside the organization. To protect data exfiltration, a company must have in-depth layered security and layered enforcement which includes IPS, firewall and DLP technologies. If we look at all the above this is exactly where Check Point’s 3D security kicks in.

» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity
Vulnerability Description
Check Point Protection
Issued
Industry Reference
Check Point Reference
Number
Critical
Microsoft GDI+ EMF Image Processing Integer Overflow
12-Apr-2011
MS11-029

CVE-2011-0041
</SPAN>CPAI-2011-224
Critical
Microsoft OpenType CFF Driver Font Data Stack Overflow
12-Apr-2011
MS11-032

CVE-2011-0034
</SPAN>CPAI-2011-221
Critical
Microsoft CIFS Browser Protocol Pool Corruption
12-Apr-2011
MS11-019

CVE-2011-0654
</SPAN>CPAI-2011-226
Critical
Microsoft SMB Crafted Write Request Remote Code Execution
12-Apr-2011
MS11-020

CVE-2011-0661
</SPAN>CPAI-2011-225
Critical
Microsoft Internet Explorer Layouts Handling Memory Corruption
12-Apr-2011
MS11-018

CVE-2011-0094
</SPAN>CPAI-2011-216
Critical
Microsoft Internet Explorer Object Lifetime Management Memory Corruption
12-Apr-2011
MS11-018

CVE-2011-1345
</SPAN>CPAI-2011-215
Critical
Fraudulent Comodo Certificates HTTPS Spoofing
24-Mar-2011
CPAI-2011-090
Critical
Mass SQL Injection LizaMoon Attack
05-Apr-2011
CPAI-2011-212

More Updates >

Have questions about IPS?
Participate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?
» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its NGX products through SmartDefense subscriptions, and to Check Point Software Blades products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point's global Research and Response Centers. For more information, visit www.CheckPoint.com.


Read Check Point's Privacy Policy
©2003-2010 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. 800 Bridge Parkway, Redwood City, CA USA 94065