Check Point Security Advisory
»Top Protections

Insecure Library Loading Vulnerability in Microsoft Word
( Microsoft Security Bulletin MS11-023, CVE-2011-0107 ) The vulnerability is caused when Microsoft Word incorrectly restricts the path used for loading external libraries. Successful exploitation of this vulnerability could allow the attacker to take complete control of a targeted system. Learn More .

Critical Integer Overflow Vulnerability in Microsoft's GDI+ Image Processing API
( MS11-029, CVE-2011-0041 ) An integer overflow vulnerability has been discovered in the way that the GDI+ application programming interface handles integer calculations. A remote attacker who successfully exploits this vulnerability could take complete control of an affected system. Learn More .

Check Point Provides Preemptive Protection Against SQL Injection Attacks
An SQL code injection attack known as LizaMoon has infected over a million websites as of the end of March 2011. It attempts to convince a user to install malware that is disguised as a virus remover. Learn More .

April 12, 2011
In This Advisory
Top Protections
Insecure Library Loading Vulnerability in Microsoft Word
Critical Integer Overflow Vulnerability in Microsoft's GDI+ Image Processing API
Check Point Provides Preemptive Protection Against SQL Injection Attacks
Deployment Tip
APT Discussion with Tomer Teller, Check Point Security Evangelist
Highlighted Protections
Including Patch Tuesday

IPS Software Blades

Learn About Our Endpoint Security

Deployment Tip
APT Discussion with Tomer Teller, Check Point Security Evangelist

Ravit Greister, a Check Point security engineer, sat down with security evangelist Tomer Teller to chat about a buzzword that's been in the press lately, largely as a result of the recent RSA SecurID intellectual property breach.

What is APT?

Advanced Persistent Threat is a fancy and a somewhat misleading way of saying that a person or an organization has been  specifically targeted by a malicious entity - typically a group of sophisticated, determined attackers that conducts a campaign of intellectual property theft and seeks to compromise government and commercial computer networks.

Can you provide us with a quick anatomy of an APT operation?

1. Perform Reconnaissance on the target. The first thing in an APT attack is to seek publicly available information about specific employees. To this end, social media sites such as LinkedIn, Facebook and search engines such as Google are always favorites. 

2.  Initial Intrusion. With information gained from social media sites about a specific person, the attackers can then send that user a Spear Phishing email – i.e. a target-specific message that attempts to convince the target to divulge information. Often the email uses target-relevant content; for instance, if the target is in the finance department, it might talk about some advice on regulatory controls.

3. Gain backdoor entrance. The next step in a typical APT is to install some sort of a Remote Administration Tool (RAT)  that allows the attacker to control the machine. In the RSA attack for example, the tool used was a variant of the commercially-available "PoisonIvy" backdoor Trojan malware module.

4.  Gain further access. Having set remote access, the attacker will start stealing usernames and password hashes, and also search for user accounts with higher privileges.

5. Perform Data Exfiltration. The attacker would now attempt to send compromised data in an encrypted and compressed manner through “staging servers” back to the attacker. (“Exfiltration” is the term used to describe getting data out of a location, rather than trying to infiltrate it.)

6. Grow roots. Last, the attacker will install more RATs and may send updates to the malware to  improve its ability to stay under the radar.

Could you give us examples of recently launched APTs?

  • Google was hit by an APT known as Operation Aurora
  • RSA was hit by an APT in March, which has resulted in the possible compromise of their SecurID hardware security token technology
  • The Stuxnet Worm is a great example of an ongoing APT

Note that with the majority of APT attacks, the attackers use unpatched zero-day vulnerabilities to install malware. For example, in RSA's case, the specially crafted file that was used to trick the employee contained a zero-day exploit that installs a backdoor using an Adobe Flash executable embedded in a Microsoft Excel spreadsheet. Stuxnet manipulated 4 different Microsoft zero-day vulnerabilities - you can read more about this very sophisticated malware attack here and here.

How can Check Point mitigate APT attacks?

The 6 steps I mentioned above  in the attack anatomy can be roughly grouped into 3 categories: The Human Factor, Company Policy and Enforcement.

By generating security awareness inside the company amongst new and veteran employees, the initial intrusion that APTs attempt to use can be avoided. Spear phishing awareness training, for example, can be useful here. But we cannot always be certain that everyone passes a security awareness seminar and is always updated with the most recent security trends. An organization must have a defined and customized policy that is tailored to the needs of that specific business. For example:  A financial company should not allow employees to open non-allowed email, send restricted documents etc. This can greatly help in blocking further access inside the organization. To protect data exfiltration, a company must have in-depth layered security and layered enforcement which includes IPS, firewall and DLP technologies. If we look at all the above this is exactly where Check Point’s 3D security kicks in.


» Highlighted Protections

This table lists Check Point protections for recently disclosed threats. In some cases, Check Point protections against such threats or threat types have been available for some time, and the date listed is the date when the protection became available.

Severity Vulnerability Description Check Point Protection
Issued
Industry Reference Check Point Reference
Number
CriticalCritical Microsoft GDI+ EMF Image Processing Integer Overflow 12-Apr-2011
MS11-029
CVE-2011-0041
CPAI-2011-224
CriticalCritical Microsoft OpenType CFF Driver Font Data Stack Overflow 12-Apr-2011
MS11-032
CVE-2011-0034
CPAI-2011-221
CriticalCritical Microsoft CIFS Browser Protocol Pool Corruption 12-Apr-2011
MS11-019
CVE-2011-0654
CPAI-2011-226
CriticalCritical Microsoft SMB Crafted Write Request Remote Code Execution 12-Apr-2011
MS11-020
CVE-2011-0661
CPAI-2011-225
CriticalCritical Microsoft Internet Explorer Layouts Handling Memory Corruption 12-Apr-2011
MS11-018
CVE-2011-0094
CPAI-2011-216
CriticalCritical Microsoft Internet Explorer Object Lifetime Management Memory Corruption 12-Apr-2011
MS11-018
CVE-2011-1345
CPAI-2011-215
CriticalCritical Fraudulent Comodo Certificates HTTPS Spoofing 24-Mar-2011
CPAI-2011-090
CriticalCritical Mass SQL Injection LizaMoon Attack 05-Apr-2011
CPAI-2011-212

More Updates >
Have questions about IPS?
IPS ForumParticipate in the IPS User Forum. The IPS Forum is your space for asking questions regarding all IPS features, and to collaborate with other IPS users, worldwide, on IPS related issues. Check Point employees may monitor the forum and provide information on the issues posted.
Know someone who should be getting the Advisories?

Subscribe to Security Alerts and Advisories

» About the Check Point Update Services
Check Point provides ongoing and real-time updates and configuration information through an update service included with the relevant subscriptions. Updates from Check Point's global Research and Response Centers increase the value of your Check Point products, and minimize threats by providing defenses that can be used before vendor patches are applied throughout your network. For more information, visit www.CheckPoint.com.

Archived Check Point Security Advisories
Read Check Point's Privacy Policy
©2003-2010 Check Point Software Technologies Ltd. (Nasdaq: CHKP) All rights reserved. 800 Bridge Parkway, Redwood City, CA USA 94065