Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Apple Safari on Windows Platform Remote Code Execution Vulnerability (MS09-015)

Subscribe

Check Point Reference: CPAI-2008-082
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Advisory (953818)
Microsoft Security Bulletin MS09-015
Industry Reference(s): CVE-2008-2540
Protection Provided by: Security Gateway
  • R70
VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
  • NGX R65
InterSpect
  • NGX
Connectra
  • NGX R62
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Internet Explorer 6
Internet Explorer 7
Microsoft Windows XP SP2
Microsoft Windows XP SP3
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows Vista
Microsoft Windows Vista SP1
Microsoft Windows Vista x64 Edition
Microsoft Windows Vista x64 Edition SP1
Vulnerability Description
A remote code execution vulnerability exists in Safari for Windows, a web browser developed by Apple. An attacker can exploit this issue to execute arbitrary code on a target system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS09-015
Vulnerability Details
The vulnerability is due to the combination of the default download location in Safari and how the Windows desktop handles executables. This creates a blended threat in which files may be downloaded to a machine without prompting, allowing them to be executed. A remote attacker can trigger this issue by convincing a victim to view a specially crafted Web page that could download content to a machine and execute it. Successful exploitation may allow the attacker to execute arbitrary code on the victim's system.

Protection Overview
The update enables the HTTP Worm Catcher to detect and block the vulnerability based on pre-defined worm signatures. IPS-1 is preemptive against this vulnerability and does not require an update.

In order for the protection to be activated, update your Security Gateway/VPN-1/InterSpect/Connectra product to the latest IPS/SmartDefense update. For information on how to update IPS/SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > Malicious Code.
2. In the right pane, double-click the General HTTP Worm Catcher protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect).
4. Under Additional Settings > Block HTTP Worms, enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
2. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
3. Enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree , click Malicious Code > General HTTP Worm Catcher.
2. Enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
2. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
3. Enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
2. Enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

InterSpect NGX

How Can I Protect My Network?
1. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
2. Enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the navigation tree, click Web Intelligence. In the Malicious Code Protection pane click General HTTP Worm Catcher.
2. Enable the following protection:

Apple Safari on Windows Remote Code Execution Vulnerability

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: HTTP Worm Catcher
Attack Information: Apple Safari on Windows Remote Code Execution Vulnerability

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Filename Recorder protection group.
3. Click badfiles_filenamerecorder:badfilename_alert protection (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

badfiles_filenamerecorder:badfilename_alert