Cisco IPS Active Update Bulletin

Cisco IPS Active Update Bulletin
07/14/09

July 14, 2009


	Greetings! This bulletin describes updates to the Cisco IPS product line. Additional information, tips and expert advice is available in the Cisco IPS User's Forum at: http://www.cisco.com/discuss/security. For technical support, sales or other issues, please contact your authorized Cisco reseller or Cisco TAC.

IN THIS ISSUE:

Announcing the S414 Signature Update for IPS
The Cisco IPS Active Update Bulletin is changing!
Cisco Announces IPS Software 7.0 with Global Correlation
Cisco IDS 4235 and IDS 4250 sensors end of signature support
EOS and EOL dates for Cisco IPS Sensor Software Version 6.1
Cisco IPS Signature correlation available in the Cisco Security IntelliShield Alert Manager Service
Subscribe to the Product Alert Tool for IPS Related Field Issues
Subscription Information

1. Announcing the S414 Signature Update for IPS

The S414 signature update contains the following new signatures:

PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED
5.x,6.x 16655.0 DonBot fixed-tcp high true
5.x,6.x 16753.0 Mega-D string-tcp high true
5.x,6.x 16754.0 PushDo Botnet string-tcp high true
5.x,6.x 17363.0 Rustock Botnet meta high true
5.x,6.x 17789.0 Grum Bot service-http high true
5.x,6.x 17363.1 Rustock Botnet service-http informational true
5.x,6.x 17363.2 Rustock Botnet service-http informational true
5.x,6.x 19381.0 Embedded OpenType Font Heap Overflow Vulnerability string-tcp high true
5.x,6.x 19382.0 Embedded OpenType Font Integer Overflow Vulnerability string-tcp high true
5.x,6.x 19383.0 DirectX Size Validation Vulnerability string-tcp high true
5.x,6.x 19384.0 DirectX Pointer Validation Vulnerability meta high true
5.x,6.x 19384.1 DirectX Pointer Validation Vulnerability multi-string informational true
5.x,6.x 19384.2 DirectX Pointer Validation Vulnerability string-tcp informational true
5.x,6.x 19401.0 Microsoft Publisher File Parsing Vulnerability string-tcp high true
5.x,6.x 19339.1 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.6 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.7 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.8 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.9 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.2 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.3 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.4 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true
5.x,6.x 19339.5 Microsoft DirectShow msvidctl.dll Code Execution string-tcp high true

The S414 signature update contains the following modified signatures:

PLATFORM SIGID SIGNAME ENGINE SEVERITY ENABLED
5.x,6.x 19219.1 DirectShow QuickTime Media Processing Arbitrary Code Execution multi-string informational true
5.x,6.x 19219.2 DirectShow QuickTime Media Processing Arbitrary Code Execution string-tcp informational true

Modified signature details: None.

IMPORTANT NOTES:

All signature updates are cumulative. The S414 signature update contains all previously released signature updates.

You must have a valid Cisco Services for IPS contract per sensor to receive and use software upgrades including
signature updates from Cisco.com.

A Cisco Services for IPS Services License is required for the installation of all signature updates. The Cisco Services
for IPS Services License can be requested from http://www.cisco.com/go/license for all sensors covered by a
maintenance contract.

To manage your maintenance contracts use the Service Contract Center:

http://www.cisco.com/cgi-bin/front.x/scccibdispatch?AppName=ContractAgent

 
SUPPORTED PLATFORMS:

The S414 signature update can ONLY be applied to E3 sensors.

IPS S414 Software Update Files:


Please note that the signature update download location has changed.


Sensor appliances, IDSM2, NM-CIDS, ASA-SSM-AIP modules: click here


IOS IPS in 12.4(11)T or later T-Train Releases:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ios-v5sigup
Note: Posting of signature release files for IOS IPS may take a few additional days.






CISCO SECURITY MANAGER (CSM) NOTICE:

Note 1:

You can only apply the IPS-CS-MGR-sig-S414-req-E3.zip signature update file to CSM 3.0 or later and IPS MC version 2.2 or
later. The E3 Engine Update packages for sensors are deployed automatically the first time a signature set that requires
E3 is deployed by CSM. E3 updates are not listed or available for selection in the Apply Update Wizard and cannot be
applied independently by CSM. To ensure that the E3 update is applied to your sensors, please ensure
that you push the S366 package to your sensors.

2. The Cisco IPS Active Update Bulletin is changing!

As part of our continuous improvements to Cisco IPS, we are updating the Cisco IPS Active Update Bulletin. Expect an improved layout, more information, faster access to the links you need and much more! Watch your inbox � the improved bulletin will arrive in a few short weeks!

3. Cisco Announces IPS Software 7.0 with Global Correlation

Cisco is pleased to announce sensor software version 7.0 with Global Correlation. Global Correlation is a new approach to threat management that harnesses the networked power of Cisco Security Intelligence Operations (SIO) to identify and prevent attacks more quickly and effectively than stand-alone security technologies.

With Global Correlation, Cisco IPS receives global threat updates from Cisco every five minutes, gaining rapid visibility into the reputation of known attackers and networked threats, as well as propagation and mutation trends. This added context enables Cisco IPS to stop twice as much malicious activity as traditional IPS systems that rely on local inspection only.

Cisco IPS v7.0 with Global Correlation is available now to all Cisco IPS customers with current Cisco Services for IPS support contracts. IPS v7.0 is available for all ASA AIP modules, 4240 4255, 4260, 4270 sensor appliances, NME-IPS, and AIM-IPS Network Modules and the IDSM2 module and can be downloaded from the Cisco Security Software Center using your existing valid support license.

The Release notes for IPS 7.0 are available at this location.

4. Cisco IDS 4235 and IDS 4250 sensors end of signature support

Cisco IDS 4235 and IDS 4250 sensors have reached end of signature support. If you are still using IDS 4235 and IDS 4250 sensors, please contact your Cisco sales representative regarding migration plans to newer Cisco IPS sensors. More information including recommended migration options is available at this web page: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_eol_notices_list.html

5. EOS and EOL dates for Cisco IPS Sensor Software Version 6.1

Cisco announces the end-of-sale and end-of life dates for Cisco IPS Sensor Software Version 6.1. After December 14, 2009, signatures and engine updates will no longer be released for Cisco IPS Sensor Software Version 6.1. Customers are encouraged to migrate to Sensor Software Version 6.2 or Sensor Software Version 7.0 with Global Correlation. Click here to download sensor software updates.

More information is available at the End of Sale Page on Cisco.com.

6. Cisco IPS Signature correlation available in the Cisco Security IntelliShield Alert Manager Service Search Access Feature

The Cisco IPS Team is pleased to announce the correlation of Cisco IPS Signature information within the IntelliShield Alert Manager Search Access Feature. Cisco Services for IPS clients that subscribe to the service now have access to perform targeted searches to display Cisco IPS Signatures associated with different alerts to ensure they have the most up to date intelligence. Subscribers can view a new IPS Signature list page that is searchable and will display Cisco IPS Signatures associated with IntelliShield Alerts. IntelliShield Alerts also contain the associated Cisco IPS Signature information within each alert.

The IntelliShield Alert Manager Search Access Feature provides clients with access to one of the most extensive collections of vendor-neutral security intelligence alerts in the industry. Clients can access a fully indexed and searchable database that extends back over six years and contains more than 1700 vendors, 5500 products, and 20,000 distinct versions of applications.

To obtain access to the IntelliShield Alert Manager Search Access Feature, each user is required to provide either a valid IPS License File or a valid IPS Serial Number to authorize the creation of this user account. Only one user account is permitted for each IPS License File or IPS Serial Number. Please proceed to the registration page at the following link to obtain your access:

https://intellishield.cisco.com/security/alertmanager/intelliShieldSearch

Email support is available for users of the Cisco Security IntelliShield Alert Manager Service Search Access Feature at intellishieldsearch-support@cisco.com . Support is provided by Cisco during the hours of 7:00 a.m. and 7:00 p.m. Eastern Time.

7. Subscribe to the Product Alert Tool for IPS Related Field Issues

Interested in knowing the latest on field notices, product alerts, and end-of-sale information relating to your IDS and IPS hardware? We have recently updated the Cisco Product Alert Tool to include IDS and IPS appliances.

Simply visit: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do and follow these steps:

- Select Create a new Alert Profile.
- Name your profile anything you would like.
- Under Select Your Product, select: Intrusion Prevention System
- Click Add so that "Intrusion Prevention System" is added to the "Products in your profile" list
- Select the message types you wish to receive
- Confirm your email address
- Click Submit.

You will be kept up to date with the latest news on your IPS hardware appliances.

8. Subscription Information

If you wish to receive this bulletin, you can subscribe now.

To stop receiving the bulletin, you can unsubscribe now.

Your opinions are important to us. If you have feedback about the Active Update Bulletin, please contact us at ips-news@cisco.com. For technical support, sales or other issues, please contact your authorized Cisco reseller or Cisco TAC. Please note that technical support or sales questions sent to this address will not be answered or redirected.

Additional Information

Links

Software Center - Download the latest Cisco IPS software.
User Forum - Participate in the IPS Forum, part of our Networking Professionals Connection.
Home Page - Visit our Cisco IPS home page for product literature, news, and awards.
Cisco Security Center- Visit the Cisco Security Center site for information on emerging threats and the Cisco network IPS signatures available to protect your network..
CRMS - Cisco Remote Managed Services for Security
Training - Learn about available IPS training courses and Cisco Security Certifications.
IPS Technical Documentation - Visit our Cisco IPS Technical Documentation site for configuration guides, maintenance guides, release and installation notes and more
IntelliShield Alert Manager Search Access Feature - Search through an extensive collection of security intelligence reports. Registration required.