Check Point Security Advisory
»Top Protections

Microsoft Office Excel Vulnerabilities
(MS10-017)

Multiple vulnerabilities have been identified in Microsoft Excel. A remote attacker could exploit these issues via a malformed Excel file. Successful exploitation of these vulnerabilities may allow execution of arbitrary code on a target system. Check Point provides immediate protection against exploits that use these vulnerabilities through its integrated IPS offerings. Check Point SmartDefense and IPS Software Blade detect and block the transferring of malformed Excel files. More information.

Update Services - Buy NowInternet Explorer VBScript Vulnerability
(Security Advisory 981169, CVE-2010-0483)

A zero-day remote code execution vulnerability has been discovered in the way that VBScript interacts with Windows Help files when using Internet Explorer. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page. Successful exploitation could result in execution of arbitrary code on the affected system. Microsoft publicly disclosed information on the exploit in a Security Advisory on March 1st and one day later Check Point provided immediate protection against this exploit in the integrated and dedicated IPS products, IPS Software Blade, SmartDefense, and IPS-1. More information.

Botnets:  Kneber/Zeus and Pushdo
(Industry Coverage: Network World, TrendMicro)

Kneber and Pushdo are command–and-control botnets, primarily targeting Microsoft Windows operating systems that are able to make constant changes to their code making these botnets hard to detect. Kneber has affected more than 74,000 PCs in 2,400 business and government systems around the world. The Pushdo botnet is reportedly the second largest spam botnet on the planet, believed to be responsible for 1 out of every 25 spam emails sent worldwide.  Check Point provides immediate protection against these botnets through its integrated and dedicated IPS offerings. Check Point SmartDefense, IPS Software Blade, and IPS-1 detect and block attempts to connect to the Kneber/Zeus and Pushdo botnets.  More information.
March 9, 2010
In This Advisory
» Top Protections
» Microsoft Office Excel Vulnerabilities
» Internet Explorer VBScript Vulnerability
» Botnets: Kneber/Zeus and Pushdo
» Deployment Tip
» Use IPS Event Analysis Maps to Create a Geo Protection Policy
» Highlighted Protections
» Including Patch Tuesday

Contact Us

IPS Software Blades

Resources for Messaging Security

SmartDefense Microsoft Security Resources
Deployment Tip
Best Practice: Use IPS Event Analysis Maps to Create a Geo Protection Policy
Some companies require monitoring traffic from certain countries to satisfy regulatory requirements.  Maps in the IPS Event Analysis client is a graphical representation of events by source and destination countries that accomplishes this task.

Geo Protection in the IPS Software Blade takes this one step further, providing a means to block or allow traffic to or from specific countries. Whether you need to satisfy a regulatory requirement or not you may find the data in the IPS Event Analysis Maps is a valuable source of information for creating a Geo Protection policy that limits your exposure to outside threats. Within the policy you can create exceptions to allow legitimate traffic.

Best Practice: Report Security Events to Check Point with IPS Event Analysis Software Blade

The country information is derived from IP addresses in the packet by means of an IP-to-country database that is regularly updated and automatically downloaded to the Security Gateway from a Check Point data center.

To block, allow or monitor traffic by country:
  1. In the SmartDashboard IPS tab, select Geo Protection from the navigation tree.
  2. In the Geo Protection page, choose an IPS Profile.
  3. Define a Policy for Specific Countries: Click Add; the Geo Protection window opens.
  4. Configure a Policy for Other Countries. These settings apply to all countries and IP addresses that are not included in the Policy for specific Countries.
» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity Vulnerability Description Check Point Protection
Issued		 Industry Reference Check Point Reference
Number
CriticalCritical Microsoft windows VBScript MsgBox Call with Malicious HLP File  02-Mar-10 981169
CVE-2010-0483		 CPAI-2010-049
CriticalCritical Kneber/Zeus Botnet 24-Feb-10 Network World CPAI-2010-038
CriticalCritical Pushdo Botnet Denial of Service Attacks 18-Feb-10 TrendMicro SBP-2010-10
CriticalCritical Adobe Flash Player Subvert Domain Sandbox 24-Feb-10 APSB10-06
CVE-2010-0186		 CPAI-2010-039
CriticalCritical Sun Java System Web Server Digest Authorization Buffer Overflow 19-Feb-10 BugTraq ID: 37896 CPAI-2010-109
CriticalCritical Sun Java System Web Server WEBDAV Stack Buffer Overflow 19-Feb-10 Secunia Advisory SA38260 CPAI-2010-106
CriticalHigh Microsoft Excel DbOrParamQry Record Parsing Code Execution  09-Mar-10 MS10-017
CVE-2010-0264		 CPAI-2010-047
CriticalHigh Microsoft Excel FNGROUPNAME Record Uninitialized Memory  09-Mar-10 MS10-017
CVE-2010-0262		 CPAI-2010-045
CriticalHigh Microsoft Excel MDXSET Record Heap Overflow 09-Mar-10 MS10-017
CVE-2010-0261
CVE-2010-0260		 CPAI-2010-043
CriticalHigh Microsoft Excel Sheet Object Type Confusion  09-Mar-10 MS10-017
CVE-2010-0258		 CPAI-2010-042
CriticalHigh Microsoft Excel XLSX File Parsing Code Execution 09-Mar-10 MS10-017
CVE-2010-0263		 CPAI-2010-046
CriticalHigh Microsoft Excel EntExU2 Record Memory Corruption 09-Mar-10 MS10-017
CVE-2010-0257		 CPAI-2010-041
CriticalHigh Microsoft Movie Maker Project File Handling Buffer Overflow  09-Mar-10  MS10-016
CVE-2010-0265		 CPAI-2010-048
CriticalHigh Adobe BlazeDS XML Processing Information Disclosure  14-Feb-10 APSB10-05
CVE-2009-3960		 CPAI-2010-036

More Updates >
Have questions about IPS?
IPS ForumParticipate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?

Subscribe to Security Alerts and Advisories
» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information to its R65 products through SmartDefense Services, and to Check Point R70 products through an update service included with the relevant Software Blade subscriptions. These updates increase the value of your Check Point products and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. These defenses are developed and distributed by Check Point’s global Research and Response Centers. For more information, visit www.CheckPoint.com.

Archived Check Point Security Advisories
Read Check Point's Privacy Policy
©2003-2010 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. 800 Bridge Parkway, Redwood City, CA USA 94065