Posts

Well-known Zero-day Vulnerabilities 2012 Summary (Aug 9, 2012)

A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, operation system etc. Multiple zero-day vulnerabilities can be found each year. The following are the well-known zero-day vulnerabilities for the first half year of 2012. Dell SonicWALL coverage for these vulnerabilities and references are also listed:

With the deployed signatures, Dell SonicWALL has prevented the customers from being attacked. The following are the statistics within last 20 days:

2012 Zero-day hits

To better protect our customers, Dell SonicWALL has partnered with Microsoft on the MAPP program, and here is the MAPP landing page: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=380.

In the above page, you can find all the Microsoft released vulnerabilities and our coverage for the past two years. Dell SonicWALL has been successfully cooperated with Microsoft for the vulnerabilities detecting and preventing, for example, the latest 0day vulnerability CVE-2012-1889, we have deployed the signatures at the same day when Microsoft released the public advisory: MAPP Partners with Updated Protections

In addition to the signatures of detecting 0day vulnerabilities, we have more than 200 shellcode detection IPS signatures, which proactively detects and blocks many attacks in the wild. The following are some examples of the IPS signatures:

  • 4569 HTTP Server Shellcode Exploit 8
  • 4573 Server Application Shellcode Exploit 10
  • 4574 HTTP Server Shellcode Exploit 10
  • 4584 Server Application Shellcode Exploit 17
  • 4598 Server Application Shellcode Exploit 3
  • 4601 HTTP Server Shellcode Exploit 11

Microsoft Security Bulletin Coverage (March 14, 2012)

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2012. A list of issues reported, along with SonicWALL coverage information follows:

MS12-017 Vulnerability in DNS Server Could Allow Denial of Service (2647170)

  • CVE-2012-0006 DNS Denial of Service Vulnerability
    Malicious traffic is indistinguishable from normal DNS traffic.

MS12-018 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

  • CVE-2012-0157 PostMessage Function Vulnerability
    This is a local vulnerability. Attacks are not detectable over the network.

MS12-019 Vulnerability in DirectWrite Could Allow Denial of Service (2665364)

  • CVE-2012-0156 DirectWrite Application Denial of Service Vulnerability
    No coverage is available.

MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

  • CVE-2012-0002 Remote Desktop Protocol Vulnerability
    IPS: 4178 – Suspicious RDP Traffic 3
    IPS: 4186 – Suspicious RDP Traffic 4
  • CVE-2012-0152 Terminal Server Denial of Service Vulnerability
    This kind of attack is not detectable by SonicWALL.

MS12-021 Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

  • CVE-2012-0008 Visual Studio Add-In Vulnerability
    This is a local vulnerability. Attacks are not detectable over the network.

MS12-022 Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

  • CVE-2012-0016 Expression Design Insecure Library Loading Vulnerability
    IPS: 1023 – Binary Planting Attempt 1
    IPS: 5726 – Binary Planting Attempt 2
    IPS: 6847 – Binary Planting Attempt 3