Check Point Advisories

Microsoft PowerPoint Insecure Library Loading (MS11-094; CVE-2011-3396)

Check Point Reference: CPAI-2011-573
Date Published: 13 Dec 2011
Severity: High
Last Updated: 26 Jun 2016
Industry Reference:CVE-2011-3396
Protection Provided by:

Security Gateway
R80, R77, R76, R75, R71, R70

Who is Vulnerable?
Vulnerability Description A remote code execution vulnerability has been reported in Microsoft PowerPoint. The vulnerability is due to an error in the way Microsoft PowerPoint restricts the path used for loading external libraries. A remote attacker could exploit this vulnerability by enticing a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Successful exploitation could allow an attacker to execute arbitrary code in the security context of the logged-on user.

Protection Overview

This protection will detect and block the transferring of malicious DLL files over a network share.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R76 / R75 / R71 / R70

  1. In the IPS tab, click Protections and find the Microsoft PowerPoint Insecure Library Loading (MS11-094) protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:

Attack Name:  Windows SMB Protection Violation.
Attack Information:  Microsoft PowerPoint insecure library loading (MS11-094)

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO