Security Advisory: August 10, 2010

»Top Protections

Microsoft Shortcut (LNK) Vulnerability
(MS10-046, 2286198, CVE-2010-2568)

A critical zero-day .LNK (shortcut) vulnerability in Microsoft Windows that is being actively exploited in the wild by the “Stuxnet” worm and “Sality” malware family has prompted Microsoft to issue an emergency patch 17 days after public disclosure of the vulnerability. However, the update did not patch Windows XP SP2 or Windows 2000, since those operating systems have reached end-of-support. The Check Point IPS Software Blade, IPS-1 and NGX SmartDefense provide immediate network protection for all versions of Windows in the latest IPS Update by detecting and blocking the transferring of suspicious .LNK files over CIFS. Learn More.

Microsoft Office Word MS10-056 Vulnerabilities
(MS10-056)

Several remote code execution vulnerabilities have been reported in Microsoft Office Word. A remote attacker can exploit the vulnerabilities by using specially crafted Word and RTF files to take complete control of an affected system. Check Point recommends applying the latest vendor patches and getting immediate protection by applying the latest IPS update. Learn More.

Microsoft MPEG Layer-3 Codecs Memory Corruption Vulnerability
(MS10-052, CVE-2010-1882)

A critical remote code execution vulnerability has been reported in the Microsoft DirectShow MP3 filter. Successful exploitation of this issue may allow the attacker take complete control of an affected system by convincing a victim to open a specially crafted MP3 file. Check Point’s protection detects and blocks the transferring of malformed MP3 files over HTTP. Learn More.

August 10, 2010

In This Advisory
» Top Protections
	Microsoft Shortcut (LNK) Vulnerability
	Microsoft Office Word MS10-056 Vulnerabilities
	Microsoft MPEG Layer-3 Codecs Memory Corruption Vulnerability
» Deployment Tip
	Configuring automatic IPS contract updates to work through a proxy server
» Highlighted Protections
	Including Patch Tuesday

Deployment Tip
Best Practice: Configuring automatic IPS contract updates to work through a proxy server
Check Point Security Management is designed to fit into complex customer environments, and provide easy-to-use centralized management. For example, it’s a simple process to enable proxied connections for IPS contract updates from the Security Management server. To do this, use the same procedure as you would for proxy configuration of IPS updates.

In the SmartDashboard application, go to IPS--> Download Updates
Choose the “Configure” near the proxy settings
Configure the proxy settings as desired.

» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity	Vulnerability Description	Check Point Protection Issued	Industry Reference	Check Point Reference Number
Critical	Microsoft Windows Shell LNK File Remote Code Execution	19-Jul-10	CVE-2010-2568 MS10-046	CPAI-2010-221
Critical	Microsoft MPEG Layer-3 Codecs Memory Corruption	10-Aug-10	CVE-2010-1882 MS10-052	CPAI-2010-241
Critical	Microsoft Word RTF Data Parsing Buffer Overflow	10-Aug-10	CVE-2010-1902 MS10-056	CPAI-2010-237
Critical	Microsoft Windows SSL and TLS Protocols Renegotiation Vulnerability	23-Nov-09	CVE-2009-3555 MS10-049	SBP-2009-23 CPAI-2010-020
Critical	Microsoft SMB Server Pool Overflow Remote Code Execution	10-Aug-10	CVE-2010-2550 MS10-054	CPAI-2010-234
Critical	Microsoft Windows Cinepak Codec Remote Code Execution	10-Aug-10	CVE-2010-2553 MS10-055	CPAI-2010-229
Critical	Microsoft Silverlight Pointer Handling Memory Corruption	10-Aug-10	CVE-2010-0019 MS10-060	CPAI-2010-228
Critical	Microsoft Internet Explorer Parent Style Uninitialized Memory Corruption	10-Aug-10	CVE-2010-2559 MS10-053	CPAI-2010-225
Critical	Microsoft Internet Explorer boundElements Uninitialized Memory Corruption	10-Aug-10	CVE-2010-2557 MS10-053	CPAI-2010-233
Critical	Microsoft Msxml2.XMLHTTP.3.0 Response Handling Memory Corruption	10-Aug-10	CVE-2010-2561 MS10-051	CPAI-2010-239
Critical	ToolTalk rpc.ttdbserverd Database Parser Heap Overflow	14-Jul-10	CVE-2010-0083	CPAI-2010-220
Critical	Apache Struts2 ParametersInterceptor Remote Command Execution	01-Aug-10	CVE-2010-1870	CPAI-2010-141
High	Microsoft Word sprmCMajority Record Parsing Remote Code Execution	10-Aug-10	CVE-2010-1900 MS10-056	CPAI-2010-243
High	Microsoft Word HTML Linked Objects Memory Corruption	10-Aug-10	CVE-2010-1903 MS10-056	CPAI-2010-226
High	Microsoft SMB Server Variable Validation Remote Code Execution	10-Aug-10	CVE-2010-2551 MS10-054	CPAI-2010-235
High	Microsoft Windows Movie Maker Memory Corruption	10-Aug-10	CVE-2010-2564 MS10-050	CPAI-2010-242

More Updates >

Have questions about IPS?
Participate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.

Know someone who should be getting the Advisories?

» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its NGX products through SmartDefense subscriptions, and to Check Point Software Blades products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point’s global Research and Response Centers. For more information, visit www.CheckPoint.com.

Archived Check Point Security Advisories