Update Protection against Microsoft Outlook AttachMethods Remote Code Execution Vulnerability (MS10-045)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-218
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS10-045
Industry Reference(s):	CVE-2010-0266
Protection Provided by:	Security Gateway R71 R70 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Microsoft Office Outlook 2002 SP3 Microsoft Office Outlook 2003 SP3 Microsoft Office Outlook 2007 SP1 Microsoft Office Outlook 2007 SP2
Vulnerability Description A remote code execution vulnerability has been reported in the way that Microsoft Office Outlook tries to verify attachments in a specially crafted e-mail message. Microsoft Outlook is an e-mail application and a personal information manager. A remote attacker may exploit this vulnerability to take complete control of the affected system.

Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS10-045

Vulnerability Details
The vulnerability is due to an error in Microsoft Office Outlook that fails to properly verify the file extension of an attachment in a specially crafted e-mail message. A remote attacker may exploit this issue by sending a specially crafted e-mail message containing an attachment to a user. When the user attempts to open the attachment, an attacker specified malicious executable file could be run.

Protection Overview
This protection will detect and block attempts to bypass the Outlook attachment filter.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway: R70/R71

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Mail > SMTP.
2. In the right pane, double-click the Microsoft Outlook AttachMethods Remote Code Execution (MS10-045) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: SMTP Protection Violation
Attack Information: Microsoft Outlook AttachMethods remote code execution (MS10-045)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1st Protection

This protection will detect and block the transfer of .MSG files with possibly malicous attachments.

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Microsoft Office Parser protection group.
3. Click Microsoft Outlook AttachMethods .MSG File Remote Code Execution (MS10-045) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

2nd Protection

This protection will detect and block the transfer of .tnef files with possibly malicious attachments.

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the TNEF Parser protection group
3. Click Microsoft Outlook AttachMethods MS-TNEF Remote Code Execution (MS10-045) (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
1st Protection
Upon attack, the following entries will be logged:

Alert Name: Vulnerability in MS-Office file
Description: Microsoft Outlook AttachMethods .MSG File Remote Code Execution (MS10-045)

2nd Protection
Upon attack, the following entries will be logged:

Alert Name: Badfiles TNEF file Alert/Filter
Description: Microsoft Outlook AttachMethods MS-TNEF Remote Code Execution (MS10-045)

Legal Notice for Threat Center Advisories