Check Point Security Advisory
»Top Protections

Microsoft SMB Client Vulnerabilities
( MS10-020)

Several critical vulnerabilities have been identified in Microsoft Server Message Block (SMB), a network file sharing protocol. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. One, CVE-2009-3676, has been public for five months and was the first confirmed zero-day vulnerability in Windows 7. See Microsoft Security Advisory 977544. Check Point has provided immediate protection for this vulnerability since November 17, 2009 and provides immediate protection against exploits that use these vulnerabilities through its integrated IPS offerings. More information.

Update Services - Buy NowMultiple Browser Vulnerabilities
(Internet Explorer MS10-018, Firefox Security Advisories, Safari CVE-2009-3271)

Exploitation of browser vulnerabilities is a favorite attack vector and browser vendors have been trying to keep up with security updates. On March 30th Microsoft released an out-of-band security update for Internet Explorer that fixed 10 Critical vulnerabilities. Check Point provided protections for all 10. In addition Check Point IPS-1 provides protections against 7 Firefox exploits, 3 that were Critical, and an immediate protection against an up-patched Safari exploit. More information.

Blocking Null Prefix in DNS MX Records
(MS10-024, CVE-2010-0024)

A denial of service vulnerability has been reported in the way that Microsoft Windows Simple Mail Transfer Protocol (SMTP) component handles specially crafted DNS Mail Exchanger (MX) resource records. A remote attacker may trigger this vulnerability via a specially crafted DNS request with a null prefix in the MX record. Successful exploitation of this issue could cause the affected system to stop accepting requests.  Check Point provides immediate protection against this exploit through its integrated IPS offerings; SmartDefense and the IPS Software Blade.  More information.
April 13, 2010
In This Advisory
» Top Protections
» Microsoft SMB Client Vulnerabilities
» Multiple Browser Vulnerabilities
» Blocking Null Prefix in DNS MX Records
» Deployment Tip
» Use IPS Event Analysis Maps to Create a Geo Protection Policy
» Highlighted Protections
» Including Patch Tuesday

Contact Us

IPS Software Blades

Resources for Messaging Security

SmartDefense Microsoft Security Resources

Deployment Tip
Best Practice: Defining Exceptions to SmartEvent IPS Events
SmartEvent turns security information into action with real-time security event correlation and management for Check Point security gateways and third-party devices. Security events are analyzed, correlated, assigned severity levels, and invoke automatic reactions based upon the Events Policy.

Severity levels prioritize security threats in pre-defined timelines, queries, reports, and graphs. If you identify an event that is clearly not a threat, you can tailor the Events Policy by creating Event Exceptions, reducing the severity level as needed. Conversely to respond faster to a real threat you may want to add an Automatic Reaction like sending an email notification using an Event Exception.

Exceptions can be added either in the Policy tab or by right-clicking on an existing IPS event and selecting Add exception to event definition.

To define an exception via the Events tab:
  1. In the Events tab, right-click on an event and select Add exception to event definition.
  2. The Exception to event definition appears with the fields pre-populated from that event. Modify the Severity and Reaction as needed and click OK.
  3. Install the policy.
Best Practice: Defining Exceptions to SmartEvent IPS Events

» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity Vulnerability Description Check Point Protection
Issued
Industry Reference Check Point Reference
Number
CriticalCritical Microsoft Windows SMB Endless Loop Denial of Service  16-Nov-09 MS10-020
CVE-2009-3676
Security Advisory 977544
CPAI-2009-296
CriticalCritical Microsoft Windows SMB Client Memory Allocation Memory Corruption 13-Apr-10 MS10-020
CVE-2010-0269
CPAI-2010-064
CriticalCritical Microsoft Windows SMB Client Transaction Memory Corruption 13-Apr-10 MS10-020
CVE-2010-0270
CPAI-2010-065
CriticalCritical Microsoft Windows SMB Client Response Parsing Memory Corruption  13-Apr-10 MS10-020
CVE-2010-0476
CPAI-2010-061
CriticalCritical Microsoft Windows SMB Client Message Size Remote Code Execution  13-Apr-10 MS10-020
CVE-2010-0477
CPAI-2010-063
CriticalCritical Microsoft Windows MPEG Layer-3 Audio Decoder AVI File Stack Overflow  13-Apr-10 MS10-026
CVE-2010-0480
CPAI-2010-060
CriticalCritical Microsoft windows VBScript MsgBox Call with Malicious HLP File  02-Mar-10 MS10-020
CVE-2010-0483
Security Advisory 981169
CPAI-2010-049
CriticalCritical Microsoft Windows Internet Explorer iepeers.dll Remote Code Execution* 01-Apr-10 MS10-018
CVE-2010-0806
CPAI-2010-044
CriticalCritical Microsoft Windows DOM Operation HTML Object Memory Corruption 01-Apr-10 MS10-018
CVE-2010-0491
CPAI-2010-054
CriticalCritical Microsoft Windows Internet Explorer CSS HTML Object Memory Corruption 01-Apr-10 MS10-018
CVE-2010-0492
CPAI-2010-055
CriticalCritical Microsoft Windows Internet Explorer HTML CSS Tag Rendering Memory Corruption  01-Apr-10 MS10-018
CVE-2010-0807
CPAI-2010-058
CriticalCritical Microsoft Windows Internet Explorer Element Cross-Domain Information Disclosure  01-Apr-10 MS10-018
CVE-2010-0494
CPAI-2010-056
CriticalCritical Microsoft Windows Media Player ActiveX Codec Retrieval Vulnerability  13-Apr-10 MS10-027
CVE-2010-0268
SBP-2010-15
CriticalCritical Microsoft Windows Media Services Stack-based Buffer Overflow  13-Apr-10 MS10-025
CVE-2010-0478
CPAI-2010-062
CriticalCritical PKCS11 Module Installation Code Execution 25-Mar-10 CVE-2009-3076 CPAI-2010-116
CriticalCritical Mozilla Firefox Top-level Script Object Offset Calculation Memory Corruption 25-Mar-10 CVE-2009-3073 CPAI-2010-117
CriticalCritical Mozilla Firefox Browser Engine Memory Corruption 25-Mar-10 CVE-2009-3382 CPAI-2010-113
CriticalHigh Blocking Null Prefix in DNS MX Records 13-Apr-10 MS10-024
CVE-2010-0024
SBP-2010-16

More Updates >
Have questions about IPS?
IPS ForumParticipate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?

Subscribe to Security Alerts and Advisories

» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its R65 products through SmartDefense Services, and to Check Point R70 products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point’s global Research and Response Centers. For more information, visit www.CheckPoint.com.

Archived Check Point Security Advisories
Read Check Point's Privacy Policy
©2003-2010 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. 800 Bridge Parkway, Redwood City, CA USA 94065