Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Groove 2007 mso.dll Insecure Library Loading Vulnerability (MS11-016)

Subscribe

Check Point Reference: CPAI-2011-051
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS11-016
Industry Reference(s): CVE-2010-3146
Protection Provided by: Security Gateway
  • R75
  • R71
  • R70
VPN-1
  • NGX R65
VSX
  • NGX R65
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Microsoft Groove 2007 SP2
Vulnerability Description
A remote code execution vulnerability has been reported in the way that Microsoft Groove 2007 handles the loading of DLL files. Microsoft Office Groove 2007 is a collaboration software program for working on a broad range of project activities, from simple document collaboration to custom solutions integrated with business processes. A remote attacker could exploit this issue to take complete control of an affected system remotely.
Vulnerability Status
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS11-016 
Vulnerability Details
The vulnerability is caused when Microsoft Groove 2007 incorrectly restricts the path used for loading external libraries. An attacker could convince a user to open a legitimate Groove-related file (such as a .vcg or .gta file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Groove 2007 could attempt to load the DLL file and execute any code it contained. Successful exploitation of this vulnerability could allow the attacker to take complete control of an affected system.

Protection Overview
This protection will detect and block the transferring of suspicious DLL files over CIFS and Webdav. 

In order for the protection to be activated, update your Security Gateway/VPN-1 product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information

Security Gateway: R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade Application Intelligence > Microsoft Networks.
2. In the right pane, double-click the following protection:

Microsoft Groove 2007 mso.dll Insecure Library Loading (MS11-016) 

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: Windows SMB Protection Violation
Attack Information: Microsoft Groove 2007 mso.dll insecure library loading (MS11-016) 

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Microsoft Networks.
2. In the right pane, double-click the following protection:

Microsoft Groove 2007 mso.dll Insecure Library Loading (MS11-016)

3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: Windows SMB Protection Violation
Attack Information: Microsoft Groove 2007 mso.dll insecure library loading (MS11-016) 

VPN-1 NGX R65 & VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence Microsoft Networks Microsoft Groove 2007 mso.dll Insecure Library Loading (MS11-016).
2. In the configuration pane, under Settings > Mode, check Active.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: 

Attack Name: Windows SMB Protection Violation
Attack Information: Microsoft Groove 2007 mso.dll insecure library loading (MS11-016) 

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Filename Recorder protection group.
3. Click Microsoft Groove 2007 mso.dll Insecure Library Loading (MS11-016) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: BADFILENAME
Description: Microsoft Groove 2007 mso.dll Insecure Library Loading (MS11-016)