Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IDP Signatures for Microsoft Internet Explorer Zero-day vulnerability CVE-2010-0249

0

0

Article ID: KB16546 KB Last Updated: 04 Mar 2017Version: 6.0
Summary:
IDP Signatures for Microsoft Internet Explorer Zero-day vulnerability CVE-2010-0249
Symptoms:
Recently a zero day vulnerability in Microsoft Internet Explorer was made public.  How do I configure IDP signatures to protect the network against this vulnerability?
Solution:
We have received many inquiries on the ability of IDP and IDP enabled devices to protect against the Microsoft Internet Explorer Zero-day vulnerability CVE-2010-0249.   (For more details on this vulnerability please refer to the following URL http://www.microsoft.com/technet/security/advisory/979352.mspx)

IDP has two signatures that can currently detect the exploitation of this vulnerability but not the specific vulnerability itself:
Signature Short name : HTTP:STC:SCRIPT:UNI-SHELLCODE
Long name: HTTP: Encoded Shellcode in Javascript
Severity: Major
Recommended Attack: Yes
Recommended Action: Drop

Signature Short name : HTTP:STC:SCRIPT:FUNC-REASSIGN
Long name:  HTTP: Script Evasion Function Reassignment
Severity: Minor
Recommended Attack : Not a Recommended Attack
Recommended Action: None

These attack objects are available on all supported IDP and IDP enabled devices. These attacks are grouped under the following signature group categories.
"All Attacks"  - Response - Response_HTTP - Response_HTTP-Major and Response_HTTP-Minor.
 
We highly recommend that you add these attack objects to your policy as not only will they catch exploitation of this issue but will also catch similar IE type attacks.

The following example shows how to add the attack objects from the CLI for SRX-IPS devices:

#set security idp idp-policy <policyname> rulebase-ips rule <aurora-attack> match attacks predefined-attacks “ HTTP:STC:SCRIPT:FUNC-REASSIGN”

#set security idp idp-policy <policyname> rulebase-ips rule <aurora-attack> match attacks predefined-attacks “ HTTP:STC:SCRIPT:UNI-SHELLCODE”

Specify the recommended action and commit the changes.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search