Posts

Microsoft Security Bulletin Coverage (Mar 13, 2009)

Microsoft has released three security bulletins MS09-006, MS09-007 and MS09-008 for March 2009 this week, which include 8 vulnerabilities. One of the bulletins, MS09-006, was assessed as Critical severity by Microsoft, and it is a client-side related advisory. The other two bulletins MS09-007 and MS09-008 are assessed as Important, and they are server-side related advisories. SonicWALL UTM team has analyzed each security bulletin and released IPS signatures that detect/prevent potential attacks leveraging these vulnerabilities.

MS09-006 Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)

Windows Kernel Input Validation Vulnerability – CVE-2009-0081
  • IPS: 5427 MS GDI32 Polyline BO PoC (MS09-006)
Windows Kernel Handle Validation Vulnerability – CVE-2009-0082
  • The vulnerability is limited to local system and is not remotely exploitable.
Windows Kernel Invalid Pointer Vulnerability – CVE-2009-0083
  • The vulnerability is limited to local system and is not remotely exploitable.

MS09-007 Vulnerability in SChannel Could Allow Spoofing (960225)

SChannel Spoofing Vulnerability – CVE-2009-0085
  • The vulnerability is a design error, and it occurs only when the client doesn’t send a certificate verify message to the server. It can not be detected by signatures as they are legitimate traffic.

MS09-008 Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238) )

DNS Server Query Validation Vulnerability – CVE-2009-0233
  • The vulnerability is triggered by poisoning the DNS server with case-sensitive words alias different IP addresses, such as, www.abc.com and www.ABC.com resolved to different IP addresses. It can not be detected by signatures as they are legitimate traffic.
DNS Server Response Validation Vulnerability – CVE-2009-0234
  • The vulnerability is due to improper handling of flooding DNS messages with query type ANY. It can not be detected by signatures as they are legitimate traffic.
DNS Server Vulnerability in WPAD Registration Vulnerability- CVE-2009-0093
  • 5422 MS DNS Server WPAD Registration Spoofing PoC (MS09-008)
  • 5426 MS DNS Server WPAD Registration Spoofing PoC 2 (MS09-008)
WPAD WINS Server Registration Vulnerability – CVE-2009-0094
  • 5425 MS WINS Server WPAD Registration Spoofing PoC (MS09-008)

Besides enabling prevention for these signatures, customers are advised to run Windows Update and get latest patches from Microsoft in order to maximize the protection against potential exploits.