The IPS Guy » Microsoft Security Bulletins

October Microsoft Updates

theipsguy — Sat, 17 Oct 2009 01:57:16 +0000

IBM/ISS

MS Bulletin	Coverage	Coverage Date
MS09-050	XPU 29.091	9/11/2009
MS09-051	XPU 29.091	9/11/2009
MS09-052	XPU 29.1	10/13/2009
MS09-053	XPU 29.1	Multiple Signatures and dates
MS09-054	XPU 29.1	Multiple Signatures and dates
MS09-055	XPU 29.1	Multiple Signatures and dates
MS09-056	XPU 29.08	8/11/2009
MS09-057	XPU 29.1	10/13/2009
MS09-058	Scanner Only	10/13/2009
MS09-059
MS09-060	Scanner Only	10/13/2009
MS09-061	XPU 29.09	9/8/2009
MS09-062	XPU 29.09	Multiple Signatures

Cisco

MS Bulletin	Coverage	Coverage Date
MS09-050	S438,S441	Multiple Dates
MS09-051	S441	10/13/2009
MS09-052	S441	10/13/2009
MS09-053	S441,S430	Multiple Dates
MS09-054	S441	10/13/2009
MS09-055
MS09-056	S441	10/13/2009
MS09-057	S441	10/13/2009
MS09-058
MS09-059
MS09-060	S422	8/4/2009
MS09-061	S441	10/13/2009
MS09-062	S441	10/13/2009

September Microsoft Bulletins

theipsguy — Wed, 09 Sep 2009 13:27:00 +0000

IBM/ISS Coverage

http://bit.ly/11xX5Q

MS Bulletin	Coverage	Coverage Date
MS09-049	Scanner Only 1.59	September, 8 ^th 2009
MS09-048	XPU’s 20.90, 1.71, 1.72, 28.010,28.150,29.130, 29.030,29.070,29.080	Multiple dates of coverage. 2006, 2008, 2009
MS09-047	XPU 20.90	September, 8 ^th 2009
MS09-046	XPU 20.90	September, 8 ^th 2009
MS09-045	XPU 20.90	September, 8 ^th 2009

Cisco

http://bit.ly/R1LEj

MS Bulletin	Coverage	Coverage Date
MS09-049	NA
MS09-048	S430, S248, S431, S242	Multiple dates of coverage
MS09-047	S431	September, 8 ^th 2009
MS09-046	S431	September, 8 ^th 2009
MS09-045	S431	September, 8 ^th 2009

Mcafee

http://bit.ly/4w90TJ

MS Bulletin	Signature ID	Coverage Date
MS09-049	Foundstone 7110
MS09-048	0x9E00, 7106	September, 8 ^th 2009, September 9 ^th, 2009
MS09-047	7108, 7109, 0x40265D00,0x40265E00	September, 8 ^th 2009, September 9 ^th, 2009
MS09-046	0×40266900	September, 8 ^th 2009
MS09-045	7098, 0×40266800	September, 8 ^th 2009, September 9 ^th, 2009

Microsoft Security Advisory (975191)

theipsguy — Thu, 03 Sep 2009 13:01:00 +0000

Microsoft has announced a vulnerability in the IIS FTP service. This vulnerability allows a stack-based buffer overflow, caused by improper bounds checking by the FTPd service. By sending an overly long NLST command, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges or cause the application to crash.

IPS Vendor	Protection	Date	Link
IBM/ISS	yes	Jun 6, 2002 Sept 3, 2003	http://bit.ly/2loiYU
Cisco	yes	Sept 2, 2009	http://bit.ly/YJ97S
Mcafee	yes	Aug 31, 2009	No link

It is nice to see IBM/ISS with coverage dating back 6-7 years! The primary signature FTP_Mkd_Overflow was originally developed for a vulnerability in the WS_FTP Server will provide protection for this vulnerability as well, this signature is enabled by default.

Exploit code has been placed on Milw0rm and has been added to MetaSploit.

Blogger Labels: Microsoft,Advisory,FTPd,NLST,attacker ,Cisco,Mcafee,coverage,signature,WS_FTP,Exploit,MetaSploit

July Microsoft Security Bullentins

theipsguy — Tue, 14 Jul 2009 11:46:00 +0000

Here is the breakdown from some of the IPS vendors.

TippingPoint Digital Vaccine 7739
Bulletin # TippingPoint Filter #
MS09-028 8196*, 8302, 8307
MS09-029 4062*
MS09-030 8306
MS09-031 8305
MS09-032 8296*, 8317
KB973472 8322

Cisco S414
19383 DirectX Size Validation Vulnerability string-tcp
19384 DirectX Pointer Validation Vulnerability meta
19384.1 DirectX Pointer Validation Vulnerability multi-string
19384.2 DirectX Pointer Validation Vulnerability string-tcp
19401 Microsoft Publisher File Parsing Vulnerability string-tcp
19339.1 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.6 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.7 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.8 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.9 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.2 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.3 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.4 Microsoft DirectShow msvidctl.dll Code Execution string-tcp
19339.5 Microsoft DirectShow msvidctl.dll Code Execution string-tcp

IBM/ISS

MS09-029, MS09-028
Proventia Network IDS XPU 29.070
Proventia Network IPS XPU 29.070
Proventia Network MFS XPU 29.070
Proventia Server IPS for Linux technology 29.070
Proventia Server IPS for Microsoft Windows technology 1.0.914.2410
Proventia Server IPS for Microsoft Windows technology 2.0.300.2410
Proventia-G 1.1 and earlier XPU 29.070
RealSecure Network XPU 29.070
RealSecure Server Sensor XPU 29.070

theipsguy — Mon, 13 Jul 2009 11:27:00 +0000

Today Microsoft released a bulletin for the Office Web components. Below is a link to the advisory. I wanted to see what the IPS vendors have available to detect/prevent the exploitation of this vulnerability.

I will update the list as I identify vendors with signatures. If you know of any vendors I have not listed let me know.

Cisco: released Signature Update S413

http://www.microsoft.com/technet/security/advisory/973472.mspx

The IPS Guy » Microsoft Security Bulletins

October Microsoft Updates

IBM/ISS

MS Bulletin

Coverage

Coverage Date

MS09-050

XPU 29.091

9/11/2009

MS09-051

XPU 29.091

9/11/2009

MS09-052

XPU 29.1

10/13/2009

MS09-053

XPU 29.1

Multiple Signatures and dates

MS09-054

XPU 29.1

Multiple Signatures and dates

MS09-055

XPU 29.1

Multiple Signatures and dates

MS09-056

XPU 29.08

8/11/2009

MS09-057

XPU 29.1

10/13/2009

MS09-058

Scanner Only

10/13/2009

MS09-059

MS09-060

Scanner Only

10/13/2009

MS09-061

XPU 29.09

9/8/2009

MS09-062

XPU 29.09

Multiple Signatures

Cisco

MS Bulletin

Coverage

Coverage Date

MS09-050

S438,S441

Multiple Dates

MS09-051

S441

10/13/2009

MS09-052

S441

10/13/2009

MS09-053

S441,S430

Multiple Dates

MS09-054

S441

10/13/2009

MS09-055

MS09-056

S441

10/13/2009

MS09-057

S441

10/13/2009

MS09-058

MS09-059

MS09-060

S422

8/4/2009

MS09-061

S441

10/13/2009

MS09-062

S441

10/13/2009