Check Point Security Advisory
»Top Protections

DLL Search Path Vulnerabilities in Microsoft Windows Applications
MS10-096, MS10-093, MS10-097MS10-094, MS10-095, CVE-2010-3147, CVE-2010-3967, CVE-2010-3144, CVE-2010-3965, CVE-2010-3966 )

Microsoft has identified additional Microsoft Windows applications that are vulnerable to "binary planting" or "DLL preloading attack" exploits that were initially reported in Security Advisory 2269637. Microsoft Office was patched earlier, as described in MS10-087. Successful exploitation of this vulnerability in these applications may allow execution of arbitrary code on a target system. Check Point IPS Software Blade, IPS-1, and NGX SmartDefense provide network protection in the latest IPS update by detecting and blocking suspicious DLL files over CIFS. Learn More .

Microsoft Office Graphics Filters Could Allow Remote Code Execution
( MS10-105, CVE-2010-3945, CVE-2010-3946, CVE-2010-3951, CVE-2010-3952 )

Four remote code execution vulnerabilities have been discovered in Microsoft Office when handling CGM, PICT, and FlashPix images.  A remote attacker could exploit these issues by crafting malformed images and embedding them in an Office document file, and convincing a user to open that file. Successful exploitation of any of these vulnerabilities may allow execution of arbitrary code on a target system. Check Point IPS Software Blade, IPS-1, and NGX SmartDefense provide network protection in the latest IPS update by detecting and blocking malformed CGM, PICT, and FPX images over HTTP. Learn More .

MS Task Scheduler Vulnerability Used by Stuxnet Worm To Obtain Administrator System Privileges
MS10-092, CVE-2010-3888 )

The Stuxnet worm, which has received extensive media coverage over the last few months, is one of the most sophisticated malware programs ever created. It uses a number of vulnerabilities in Microsoft Windows, some of which were unreported prior to the Stuxnet outbreak. One of those vulnerabilities is in the Windows Task Scheduler. Stuxnet exploits this issue in order to gain elevated system privileges on the system(s) under attack, ultimately resulting in Administrator privileges on the targeted system. Check Point recommends applying the patch for this issue as detailed in MS10-092 as soon as is practical. Learn More .
December 14, 2010
In This Advisory
Top Protections
DLL Search Path Vulnerabilities in Microsoft Windows Applications
Microsoft Office Graphics Filters Could Allow Remote Code Execution
MS Task Scheduler Vulnerability Used by Stuxnet Worm To Obtain Administrator System Privileges
Deployment Tip
How Check Point Defeats IPS Evasion Attempts
Highlighted Protections
Including Patch Tuesday

Contact Us

IPS Software Blades

Update Services - Buy Now

Resources for Messaging Security

SmartDefense Microsoft Security Resources
Deployment Tip
Best Practice: How Check Point Defeats IPS Evasion Attempts

Hackers constantly try to avoid detection by IPS systems by changing various aspects of the traffic to make it more difficult to detect. They use various methods, including

  • fragmenting the IP packets
  • segmenting the TCP stream
  • fragmenting RPC traffic
  • manipulation of the SMB protocol
  • alterations in endianity
  • encoding parts of the stream in various ways

The Check Point IPS engines try to mimic the packet destination behavior when analyzing it, in order to detect and block all evasion methods. Also, the Check Point IPS protections are layered in a way that all such attempts are detected by the underlying engines and resolved before searching for the actual vulnerability. This way, the IPS protections are in most cases indifferent to evasion attempts.
» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity Vulnerability Description Check Point Protection
Issued		 Industry Reference Check Point Reference
Number
CriticalCritical Microsoft Internet Explorer HTML Object use after free Memory Corruption 14-Dec-10 CVE-2010-3340
MS10-090 		CPAI-2010-332
CriticalCritical Microsoft Internet Explorer 6 HTML Object Memory Corruption 14-Dec-10 CVE-2010-3343
MS10-090 		CPAI-2010-331
CriticalCritical Microsoft Office Publisher pubconv.dll Size Value Heap Corruption 14-Dec-10 CVE-2010-2569
MS10-103 		CPAI-2010-322
CriticalCritical Microsoft OpenType Font Format Driver Index Code Execution 14-Dec-10 CVE-2010-3956
MS10-091 		CPAI-2010-321
CriticalCritical Microsoft OpenType Font Format Driver CMAP Table Code Execution 14-Dec-10 CVE-2010-3959
MS10-091 		CPAI-2010-333
CriticalCritical Adobe Reader JavaScript printSeps Function Heap Corruption 16-Nov-10 CVE-2010-4091
APSB10-28 		CPAI-2010-316
CriticalCritical Adobe Flash Player DLL Loading Code Execution 16-Nov-10 CVE-2010-3976
APSB10-26 		CPAI-2010-314
CriticalHigh Microsoft Windows Address Book Insecure Library Loading 14-Dec-10 CVE-2010-3147
MS10-096 		CPAI-2010-340
CriticalHigh Microsoft Windows Media Encoder Insecure Library Loading 14-Dec-10 CVE-2010-3965
MS10-094 		CPAI-2010-343
CriticalHigh Microsoft Internet Connection Signup Wizard Insecure DLL Loading 14-Dec-10 CVE-2010-3144
MS10-097
 		CPAI-2010-344
CriticalHigh Microsoft Windows Movie Maker Insecure Library Loading 14-Dec-10 CVE-2010-3967
MS10-093 		CPAI-2010-341
CriticalHigh Microsoft Windows Netlogon RPC Null dereference Denial of Service 14-Dec-10 CVE-2010-2742
MS10-101 		CPAI-2010-338
CriticalHigh Microsoft Graphics Filters CGM Image Converter Buffer Overrun 14-Dec-10 CVE-2010-3945
MS10-105 		CPAI-2010-337
CriticalHigh Microsoft Graphics Filters PICT Image Converter Integer Overflow 14-Dec-10 CVE-2010-3946
MS10-105 		CPAI-2010-336
CriticalHigh Microsoft Graphics Filters FlashPix Converter Buffer Overflow 14-Dec-10 CVE-2010-3951
MS10-105 		CPAI-2010-335
CriticalHigh Microsoft Graphics Filters FlashPix Converter Heap Corruption 14-Dec-10 CVE-2010-3952
MS10-105 		CPAI-2010-334
CriticalHigh Microsoft SharePoint Malformed Request Remote Code Execution 14-Dec-10 CVE-2010-3964
MS10-104 		CPAI-2010-339
CriticalHigh Microsoft Graphics Filters TIFF Image Converter Buffer Overflow 14-Dec-10 CVE-2010-3949
CVE-2010-3950
MS10-105
CPAI-2010-328
CriticalHigh Microsoft Internet Explorer Table Handling Memory Corruption 04-Nov-10 CVE-2010-3962
MS10-090 		CPAI-2010-310

More Updates >
Have questions about IPS?
IPS ForumParticipate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?

Subscribe to Security Alerts and Advisories
» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its NGX products through SmartDefense subscriptions, and to Check Point Software Blades products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point's global Research and Response Centers. For more information, visit www.CheckPoint.com.

Archived Check Point Security Advisories
Read Check Point's Privacy Policy
©2003-2010 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. 800 Bridge Parkway, Redwood City, CA USA 94065