Knowledge Search


×
 

IDP Signatures for Microsoft Internet Explorer Zero-day vulnerability CVE-2010-0249

  [KB16546] Show Article Properties


Summary:
IDP Signatures for Microsoft Internet Explorer Zero-day vulnerability CVE-2010-0249
Symptoms:
Recently a zero day vulnerability in Microsoft Internet Explorer was made public.  How do I configure IDP signatures to protect the network against this vulnerability?
Solution:
We have received many inquiries on the ability of IDP and IDP enabled devices to protect against the Microsoft Internet Explorer Zero-day vulnerability CVE-2010-0249.   (For more details on this vulnerability please refer to the following URL http://www.microsoft.com/technet/security/advisory/979352.mspx)

IDP has two signatures that can currently detect the exploitation of this vulnerability but not the specific vulnerability itself:
Signature Short name : HTTP:STC:SCRIPT:UNI-SHELLCODE
Long name: HTTP: Encoded Shellcode in Javascript
Severity: Major
Recommended Attack: Yes
Recommended Action: Drop

Signature Short name : HTTP:STC:SCRIPT:FUNC-REASSIGN
Long name:  HTTP: Script Evasion Function Reassignment
Severity: Minor
Recommended Attack : Not a Recommended Attack
Recommended Action: None

These attack objects are available on all supported IDP and IDP enabled devices. These attacks are grouped under the following signature group categories.
"All Attacks"  - Response - Response_HTTP - Response_HTTP-Major and Response_HTTP-Minor.
 
We highly recommend that you add these attack objects to your policy as not only will they catch exploitation of this issue but will also catch similar IE type attacks.

The following example shows how to add the attack objects from the CLI for SRX-IPS devices:

#set security idp idp-policy <policyname> rulebase-ips rule <aurora-attack> match attacks predefined-attacks “ HTTP:STC:SCRIPT:FUNC-REASSIGN”

#set security idp idp-policy <policyname> rulebase-ips rule <aurora-attack> match attacks predefined-attacks “ HTTP:STC:SCRIPT:UNI-SHELLCODE”

Specify the recommended action and commit the changes.


Related Links: