October Microsoft Updates

Filed under IPS, Microsoft Security Bulletins by theipsguy on October 17, 2009 at 1:57 am no comments

IBM/ISS
MS Bulletin
Coverage
Coverage Date
MS09-050
XPU 29.091
9/11/2009
MS09-051
XPU 29.091
9/11/2009
MS09-052
XPU 29.1
10/13/2009
MS09-053
XPU 29.1
Multiple Signatures and dates
MS09-054
XPU 29.1
Multiple Signatures and dates
MS09-055
XPU 29.1
Multiple Signatures and dates
MS09-056
XPU 29.08
8/11/2009
MS09-057
XPU 29.1
10/13/2009
MS09-058
Scanner Only
10/13/2009
MS09-059
MS09-060
Scanner Only
10/13/2009
MS09-061
XPU 29.09
9/8/2009
MS09-062
XPU 29.09
Multiple Signatures
Cisco
MS Bulletin
Coverage
Coverage Date
MS09-050
S438,S441
Multiple Dates
MS09-051
S441
10/13/2009
MS09-052
S441
10/13/2009
MS09-053
S441,S430
Multiple Dates
MS09-054
S441
10/13/2009
MS09-055
MS09-056
S441
10/13/2009
MS09-057
S441
10/13/2009
MS09-058
MS09-059
MS09-060
S422
8/4/2009
MS09-061
S441
10/13/2009
MS09-062
S441
10/13/2009

September Microsoft Bulletins

Filed under Microsoft Security Bulletins by theipsguy on September 9, 2009 at 1:27 pm no comments

IBM/ISS Coverage

http://bit.ly/11xX5Q

MS Bulletin Coverage Coverage Date
MS09-049 Scanner Only 1.59 September, 8 th 2009
MS09-048 XPU’s 20.90, 1.71, 1.72, 28.010,28.150,29.130,

29.030,29.070,29.080

 Multiple dates of coverage. 2006, 2008, 2009
MS09-047 XPU 20.90 September, 8 th 2009
MS09-046 XPU 20.90 September, 8 th 2009
MS09-045 XPU 20.90 September, 8 th 2009

Cisco

http://bit.ly/R1LEj

MS Bulletin Coverage Coverage Date
MS09-049 NA
MS09-048 S430, S248, S431, S242 Multiple dates of coverage
MS09-047 S431 September, 8 th 2009
MS09-046 S431 September, 8 th 2009
MS09-045 S431 September, 8 th 2009

Mcafee

http://bit.ly/4w90TJ

MS Bulletin Signature ID Coverage Date
MS09-049 Foundstone 7110
MS09-048 0x9E00, 7106 September, 8 th 2009, September 9 th, 2009
MS09-047 7108, 7109, 0x40265D00,0x40265E00 September, 8 th 2009, September 9 th, 2009
MS09-046 0×40266900 September, 8 th 2009
MS09-045 7098, 0×40266800 September, 8 th 2009, September 9 th, 2009

Microsoft Security Advisory (975191)

Filed under Microsoft Security Bulletins by theipsguy on September 3, 2009 at 1:01 pm no comments

Microsoft has announced a vulnerability in the IIS FTP service.  This vulnerability allows a stack-based buffer overflow, caused by improper bounds checking by the FTPd service. By sending an overly long NLST command, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.

IPS Vendor Protection Date Link
IBM/ISS yes Jun 6, 2002
Sept 3, 2003		 http://bit.ly/2loiYU
Cisco yes Sept 2, 2009 http://bit.ly/YJ97S
Mcafee yes Aug 31, 2009 No link

It is nice to see IBM/ISS with coverage dating back 6-7 years! The primary signature FTP_Mkd_Overflow was originally developed for a vulnerability in the WS_FTP Server will provide protection for this vulnerability as well, this signature is enabled by default.

Exploit code has been placed on Milw0rm and has been added to MetaSploit.

Blogger Labels: Microsoft,Advisory,FTPd,NLST,attacker,Cisco,Mcafee,coverage,signature,WS_FTP,Exploit,MetaSploit

July Microsoft Security Bullentins

Filed under Microsoft Security Bulletins by theipsguy on July 14, 2009 at 11:46 am no comments

Here is the breakdown from some of the IPS vendors.

TippingPoint Digital Vaccine 7739
Bulletin # TippingPoint Filter #
MS09-028 8196*, 8302, 8307
MS09-029 4062*
MS09-030 8306
MS09-031 8305
MS09-032 8296*, 8317
KB973472 8322

Cisco S414
19383 DirectX Size Validation Vulnerability string-tcp
19384 DirectX Pointer Validation Vulnerability meta
19384.1 DirectX Pointer Validation Vulnerability multi-string
19384.2 DirectX Pointer Validation Vulnerability string-tcp
19401 Microsoft Publisher File Parsing Vulnerability string-tcp
19339.1 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.6 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.7 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.8 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.9 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.2 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.3 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.4 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.5 Microsoft DirectShow msvidctl.dll Code Execution string-tcp

IBM/ISS

MS09-029, MS09-028
Proventia Network IDS XPU 29.070
Proventia Network IPS XPU 29.070
Proventia Network MFS XPU 29.070
Proventia Server IPS for Linux technology 29.070
Proventia Server IPS for Microsoft Windows technology 1.0.914.2410
Proventia Server IPS for Microsoft Windows technology 2.0.300.2410
Proventia-G 1.1 and earlier XPU 29.070
RealSecure Network XPU 29.070
RealSecure Server Sensor XPU 29.070

Filed under Microsoft Security Bulletins by theipsguy on July 13, 2009 at 11:27 am no comments

Today Microsoft released a bulletin for the Office Web components. Below is a link to the advisory. I wanted to see what the IPS vendors have available to detect/prevent the exploitation of this vulnerability.

I will update the list as I identify vendors with signatures. If you know of any vendors I have not listed let me know.

Cisco: released Signature Update S413

http://www.microsoft.com/technet/security/advisory/973472.mspx