»Hot SmartDefense Protections

Downadup (Conficker) Worm
(MS08-067; CVE-2008-4250)

The Downadup worm (a.k.a. ‘Conficker’) exploits the MS08-067 vulnerability in the Windows Server Service and propagates itself quickly over a network. Although a patch from Microsoft has existed for this vulnerability since October, delays in applying the patch allowed millions of computers to become infected and left millions more vulnerable. SmartDefense Services have been preemptive against this worm since 2006, with the protection against Microsoft Windows Server Service Vulnerability (MS06-040), and an enhanced protection issued on the same day the new Microsoft vulnerability (MS08-067) was announced in October 2008.
Additional information.

Free SmartDefense 30 Day TrialMicrosoft Exchange Server Vulnerability
(MS09-003; CVE-2009-0098)

Microsoft Exchange is the world’s leading corporate email platform. Microsoft Exchange does not properly decode messages in TNEF format, which is used by the Exchange Server when sending messages formatted in Rich Text Format (RTF).  Remote attackers may exploit this vulnerability via a specially crafted TNEF message. A user opening or previewing the maliciously-crafted message will trigger the vulnerability. The attacker may then be able to take complete control of the Exchange Server.  See protection CPAI-2009-010 for additional information.

Preemptive Protection against Novell GroupWise Internet Agent Buffer Overflow
(CVE-2009-0410)

Novell GroupWise is an email, calendaring and collaborative application available from Novell. A buffer overflow vulnerability has been reported in Novell GroupWise, specifically in its Mail Transfer Agent.  A remote unauthenticated attacker could exploit the vulnerability by sending an overly long RCPT TO command to the affected application. Successful exploitation may allow for code execution with SMTP process privileges, or may terminate the service and lead to a Denial of Service condition. SmartDefense Services have provided preemptive protection against this vulnerability since January 2005, when protections were made available to detect and block SMTP commands longer than a configurable threshold. See protection CPAI-2009-041 for additional information.
February 10, 2009

IN THIS ADVISORY:
  • Downadup (Conficker) Worm
  • Microsoft Exchange Server Vulnerability
  • Preemptive Protection against Novell GroupWise Internet Agent Buffer Overflow
  • Including Patch Tuesday
  • Improving Performance for Mail Protections
» Highlighted SmartDefense Updates

This table lists SmartDefense protection updates for recently disclosed threats. In some cases, SmartDefense protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity Vulnerability Description SmartDefense Protection
Issued
Industry Reference SmartDefense Reference
Number
CriticalCritical Microsoft Internet Explorer Uninitialized Memory Corruption  10-Feb-09 CVE-2009-0075
MS09-002
CPAI-2009-012 
CriticalCritical Microsoft Internet Explorer CSS Memory Corruption  10-Feb-09 CVE-2009-0076
MS09-002
CPAI-2009-018
CriticalCritical Microsoft Exchange Server MS-TNEF Memory Corruption  10-Feb-09 CVE-2009-0098
MS09-003
CPAI-2009-010
CriticalHigh Microsoft Exchange Server EMSMDB32 Literal Processing Vulnerability  10-Feb-09 CVE-2009-0099
MS09-003
CPAI-2009-014
CriticalHigh Microsoft Visual Basic Multiple ActiveX Remote Code Execution  10-Feb-09 Security Advisory (960715) CPAI-2009-016
CriticalHigh Microsoft SQL Server sp_replwritetovarbin Limited Memory Overwrite (Preemptive) 10-Feb-09 CVE-2008-5416
MS09-004
CPAI-2009-008
CriticalCritical Microsoft Server Service Remote Code Execution  23-Oct-08 CVE-2008-4250
MS08-067
CPAI-2008-158
CriticalHigh Oracle TimesTen evtdump Remote Format String Vulnerability 23-Jan-09 CVE-2008-5440 CPAI-2009-021
CriticalHigh Multiple Oracle Secure Backup Administration Server Vulnerabilities 23-Jan-09 CVE-2008-5448
CVE-2008-4006
CVE-2008-5449
CPAI-2009-031
CriticalHigh Oracle Secure Backup NDMP CONECT_CLIENT_AUTH Command Buffer Overflow  23-Jan-09 CVE-2008-5444 CPAI-2009-029
CriticalHigh Sun Solaris IPv6 Denial of Service Vulnerability 30-Jan-09 CVE-2009-0304 CPAI-2009-037
CriticalHigh Novell GroupWise Internet Agent RCPT Command Buffer Overflow 26-Jan-09 CVE-2009-0410  CPAI-2009-41

More SmartDefense Updates >


» How to Install SmartDefense Updates
SmartDefense Updates can be downloaded and configured on your Check Point products through the Check Point SmartCenter management interface.

How to Install SmartDefense Updates



SMARTDEFENSE DEPLOYMENT TIP
Best Practice: Improving performance for mail server protections
When there is a need to deeply inspect mail-related network traffic, limiting mail protections only for traffic to or from designated mail servers is useful (because inspecting all traffic may cause undesired performance degradation). The below approach allows for deep inspection of mail-related traffic without impacting other corporate traffic. SmartDefense protections such as POP3/IMAP Security and SMTP Mail Security Server are designed to use this capability.

This approach can be used to protect against the recent Microsoft Security bulletin MS09-003 (CVE-2009-0099).  The Microsoft bulletin describes a vulnerability in the Microsoft Exchange Server that can be exploited by sending a specially crafted mail notification. By defining your corporate Exchange Server as a mail server, you can apply the MS09-003 protection to the Exchange Server and ensure that the protection will inspect mail notifications targeted only to your Exchange Server, rather than inspecting all traffic for malformed mail notifications.

Instructions for defining a mail server.


Have SmartDefense feature questions?
SmartDefense User ForumParticipate in the SmartDefense User Forum. The SmartDefense Forum is your space for asking questions regarding all SmartDefense features, and to collaborate with other SmartDefense users, worldwide, on SmartDefense-related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?

Subscribe to Security Alerts and Advisories

» About SmartDefense and SmartDefense Services
Check Point SmartDefense provides intrusion prevention capabilities that are integrated into Check Point products. SmartDefense is updated by SmartDefense Services, which provide ongoing and real-time updates and configuration advisories for defenses and security policies. SmartDefense also helps to minimize threats by providing defenses that can be used before vendor supplied patches become available or are fully installed throughout the network. SmartDefense protections are developed and distributed by SmartDefense Research and Response Centers located around the globe. For additional information visit www.CheckPoint.com/Defense.

Archived SmartDefense Security Advisories >
You have received this notification because either you have a User Center account or you have subscribed to the SmartDefense Newsletter. If you would prefer to no longer receive security alerts and defense notifications please click the Unsubscribe link below.



Read Check Point's Privacy Policy
©2003-2009 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. 800 Bridge Parkway, Redwood City, CA USA 94065