|
|
|
|
|
Microsoft Bulletin Update |
 |
|
|
|
 |
| Providing 24x7x365 remote security management, monitoring, and remediation for today's networks. |
|
| Did you know IPS customers already have Cisco IntelliShield search access? |
 |
| Register your free account here |
|
|
|
|
|
Your feedback makes our bulletin better! Please tell us what you love and what you would change at ips-news@cisco.com.
Please click here to view a web version of this bulletin.
Visit the Cisco Event Response for more information, analysis, and guidance on this month's
Microsoft Security Bulletin Release.
Please click here to download the latest IPS signature update package (sensor only).
Please click here to download the latest Cisco Security Manager (CSM) signature update package.
Download the S658 sensor package (sensor only).
|
Important Notes
|
IOS IPS Important Notice
IOS IPS customers running version 12.4T, 15.0M, or 15.1M - a critical software defect has been identified which may cause your router to reload and be stuck in a boot loop if IOS IPS signature version S639 or later is installed on the device. Recovery of impacted devices is possible only via a serial console connection through the device's ROMMON mode. For customers who are using IOS IPS signatures S638 or earlier, there is no issues. Customers wishing to upgrade the IOS IPS signature version to S639 or later must first be running a fixed version of IOS on the device prior to upgrading the IPS signatures. Fixed versions of IOS include: 15.2(4)M, 15.1(3)T4, 15.2(3)T1, 15.1(4)M5, 12.4(24)T8 and later. Please refer to defect CSCtz27137 for additional details and steps to recover impacted devices. A link to download the latest Cisco IOS software for your device is provided below. If you need further assistance please contact Cisco TAC.
IOS Software Download |
| |
WARNING: CISCO.COM IP ADDRESS CHANGE IN AUTO UPDATE CONFIGURATION
The 7.0(8)E4 service pack changes the default value of Cisco server IP address from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. Firewall rules may need to be updated to allow sensor connectivity to this new IP Address if the Cisco.com Auto Updates have been configured on your sensor. |
| |
AVAILABILITY OF 7.1(5)E4 SERVICE PACK
On July 16, 2012, IPS Service Pack 7.1(5)E4 was released.
The 7.1 (5) release brings more of our existing platforms onto the 7.1 code base, two new security features, and many important fixes.
New Features
1. HTTP Advanced decoding
The HTTP-Advanced-Decoding feature is capable of decoding various encodings that can be applied to HTTP return web traffic. The encodings include:
Content-Encodings including GZIP, Deflate
Transfer-Encodings including Chunked
UTF Encodings including UTF8, UTF7, UTF16BE, UTF16LE, UTF32BE, UTF32LE, Byte-Order-Marker detection
Others - Pipelined HTTP Responses, Junked Headers, Header Folding
2. Signature threat profiles (Signature templates)
Signature threat profiles is a feature aimed at easily selecting and deploying signatures that are relevant for a given deployment and threat scenarios.
The user will select from ONE of several pre-defined CISCO templates.
This choice is available in the IDM startup wizard.
Cisco IPS 7.1(5)E4 is supported on the following platforms:
- IPS 4240
- IPS 4255
- IPS 4260
- IPS 4270-20
- IPS 4345
- IPS 4345-DC
- IPS 4360
- ASA 5500 AIP SSM-10
- ASA 5500 AIP SSM-20
- ASA 5500 AIP SSM-40
- ASA 5512-X IPS SSP
- ASA 5515-X IPS SSP
- ASA 5525-X IPS SSP
- ASA 5545-X IPS SSP
- ASA 5555-X IPS SSP
- ASA 5585-X IPS SSP-10
- ASA 5585-X IPS SSP-20
- ASA 5585-X IPS SSP-40
- ASA 5585-X IPS SSP-60
NOTE:
This release is NOT yet qualified for the IPS 4510 nor the IPS 4520.
MAJOR ISSUES ADDRESSED:
There are 39 named defects that have been addressed.
For full details please see the IPS 7.1(5)E4 ReadMe file.
|
| |
| |
Supported Sensor Software Versions
|
Signature updates are currently tested on the following sensor software releases according to the terms
defined in the End-of-Sale Policy for Signature File Release on Intrusion Detection and Prevention (IDS/IPS) Sensors:
6.0(6) (Released: 29/MAR/2010)
6.2(4) (Released: 27/JUN/2011)
7.0(6) (Released: 13/SEP/2011) (upgrade soon!)
7.0(7) (Released: 31/JAN/2012) (upgrade soon!)
7.0(8) (Released: 29/MAY/2012) (new!)
7.1(3) (Released: 06/DEC/2011) (upgrade soon!)
7.1(4) (Released: 05/MAR/2012) (upgrade soon!)
7.1(5) (Released: 16/JUL/2012) (new!)
Please upgrade to one of these sensor software versions to ensure correct sensor operation and effective signature coverage.
|
|
| Release S658 - July 19, 2012 |
Release Summary
+ 21 Retired Signatures
|
New Vulnerability and Exploit Protections
Multiple Adobe Products Remote Arbitrary Code Execution Vulnerability
Vulnerability Disclosed: 6/7/2010, CVSS Base: 9.3, Temporal: 7.5
Multiple Adobe products contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system or cause a denial of service (DoS) condition.
The vulnerability exists due to a memory corruption error in the affected software that is triggered when processing PDF files with embedded Flash content or standalone Flash files. An unauthenticated, remote attacker could exploit the vulnerability by luring a targeted user to view crafted Flash content using the affected software. The attacker could leverage the resulting memory corruption error to execute arbitrary code on the targeted system or cause a DoS condition.
Functional code that exploits this vulnerability is available.
Adobe has confirmed this vulnerability and released updated software.
More Details:
CVE-2010-1297
CVE-2010-1297
CVE-2010-1297
CVE-2010-1297
CVE-2010-1297
CVE-2010-1297
CVE-2010-1297
CVE-2010-1297
Microsoft Internet Explorer Uninitialized Memory Object Access Arbitrary Code Execution Vulnerability
Vulnerability Disclosed: 10/12/2010, CVSS Base: 9.3, Temporal: 6.9
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to invalid memory operations when processing malformed websites. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to view a malicious website containing an embedded Microsoft Office document. If successful, the attacker could execute arbitrary code with the privileges of the user.
Proof-of-concept code that exploits this vulnerability is publicly available.
Microsoft has confirmed the vulnerability in a security bulletin and released software updates.
More Details:
CVE-2010-3329
Applied Mitigation Bulletin: 21450
Apache Tomcat Remote Username Enumeration Vulnerability
Vulnerability Disclosed: 5/4/2009, CVSS Base: 5.0, Temporal: 3.7
Apache Tomcat contains a vulnerability that could allow an unauthenticated, remote attacker to disclose sensitive information.
The vulnerability that could allow an unauthenticated, remote attacker to enumerate usernames for the affected application. An unauthenticated, remote attacker could exploit this vulnerability by making crafted login requests to the affected application. These requests return different information depending on whether the username in the login request exists on the system. This information could be used as an aid to additional attacks.
Apache has confirmed this vulnerability and released updated software.
More Details:
CVE-2009-0580
CVE-2009-0580
Adobe Acrobat and Reader Security Update for April 2012
Vulnerability Disclosed: 4/10/2012
Adobe Acrobat and Reader contain multiple vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The updates contain fixes for four vulnerabilities. Two of the vulnerabilities are due to a memory corruption error in the affected software while handling JavaScript. Another vulnerability is due to an integer overflow error while handling TrueType Font (TTF) files. These updates also fix a vulnerability that could lead to a security bypass via the Adobe Reader installer.
An unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code on a targeted system. To exploit the vulnerability, the attacker may provide a file to the user and persuade the user to open or execute the file by using misleading language or instructions.
The following products are vulnerable:
* Adobe Reader versions prior to 10.1.3 for Microsoft Windows and Macintosh
* Adobe Reader versions prior to 9.5.1 for Windows and Macintosh
* Adobe Reader versions 9.4.6 and prior for Linux
* Adobe Acrobat versions prior to 10.1.3 for Microsoft Windows and Macintosh
* Adobe Acrobat versions prior to 9.5.1 for Windows and Macintosh
The vulnerability addressed by CVE-2012-0777 affects only Macintosh and Linux systems.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them.
Adobe has released a security bulletin at the following link: APSB12-08["http://www.adobe.com/support/security/bulletins/apsb12-08.html"]. Adobe has released updates through automated mechanisms or at the following links:
* Adobe Reader 10.1.3 for Windows["http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows"]
* Adobe Reader 10.1.3 for Mac["http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh"]
* Adobe Reader 9.5.1["http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows"]
* Adobe Acrobat Standard and Professional 10.1.3 for Windows["http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows"]
* Adobe Acrobat Professional for 10.1.3 Mac["http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh"]
* Adobe Acrobat Professional Extended 10.1.3 for Windows["http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows"]
* Adobe Acrobat 9.5.1["http://www.adobe.com/support/downloads/detail.jsp?ftpID=5357"]
* Adobe Reader 9.5.1 for Linux["ftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/"]
Red Hat has released a security advisory at the following link: RHSA-2012-0469["https://rhn.redhat.com/errata/RHSA-2012-0469.html"]. Red Hat packages can be updated using the yum or update command.
More Details:
CVE-2012-0774
CVE-2012-0775
CVE-2012-0776
CVE-2012-0777
Spyeye Trojan Toolkit
Vulnerability Disclosed: 5/17/2012
Spyeye is a trojan malicious software tool that is used to build malicious software and perform command-and-control (C&C) functions for infected systems. The malicious software constructed using the toolkit is similar to the Zeus bot and, once installed on a system, allows backdoor administrative access and information-gathering functions.
The trojan has been observed to target web browsers such as Mozilla Firefox and Internet Explorer on Windows systems and could be installed manually or distributed via other means, such as web exploit toolkits.
When executed, the trojan could create cleansweep.exe\config.bin and cleansweep.exe\cleansweep.exe files that could allow a remote attacker to capture the network traffic from the targeted user's browser and transmit the information to unspecified arbitrary hosts on the Internet.
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
| Severity |
Description |
Protected Since |
Signature ID |
Default Action |
 |
Spyeye Trojan Toolkit |
7/19/2012 |
1212.0 |
Block* |
|
Updated Vulnerability and Exploit Protections
Microsoft Internet Explorer Uninitialized Memory Object Access Arbitrary Code Execution Vulnerability
Vulnerability Disclosed: 10/12/2010, CVSS Base: 9.3, Temporal: 6.9
Microsoft Internet Explorer contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability is due to invalid memory operations when processing malformed websites. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to view a malicious website containing an embedded Microsoft Office document. If successful, the attacker could execute arbitrary code with the privileges of the user.
Proof-of-concept code that exploits this vulnerability is publicly available.
Microsoft has confirmed the vulnerability in a security bulletin and released software updates.
More Details:
CVE-2010-3329
Applied Mitigation Bulletin: 21450
|
| |
Retired Signatures
|
* Inline sensor with Event Action Override set to "deny-packet-inline" at Risk Rating 90 (Cisco default configuration)
|
|
Sensor Update Information
|
Signature Updates
Signature updates may be downloaded automatically by Cisco Security Manager (CSM), IPS Manager Express (IME) and Cisco Security Monitoring, Analysis, and Response System (CS-MARS). The following links are for manual downloads.
Sensor Appliance Updates
IPS 4200-series sensors, IPS 4300-series sensors, IDSM2 Catalyst module, AIM-IPS module, ASA-AIP IPS modules
IOS IPS Updates
IOS IPS in Mainline and T-Train Releases prior to 12.4(11)T (Includes NEW Basic and Advanced Set)
IOS IPS in 12.4(11)T or later T-Train |
Cisco.com FTP Access Change
Cisco will no longer be distributing software that requires a contract or login credentials via ftp.cisco.com from October 2010. Most IPS users will not be affected unless you have manually configured this to download from ftp.cisco.com.
IPS software and signature updates will continue to be available from Cisco.com. These can be retrieved using the built-in authenticated download capabilities in the IDM, IME, MARS and CSM management and monitoring applications or manually from the Software Download area on Cisco.com. Please see the FAQ for more information on manually downloading updates from the Software Download area.
Please direct any questions or concerns regarding this change to ftp_download_feedback@cisco.com.
|
New Product Announcements
|
End of Life and End of Sale Announcements
|
Security Research Library
|
Increase your knowledge of today's vulnerabilities, tomorrow's threats, and the technology necessary to keep up.
Cisco Security Intelligence Operations
Comprehensive threat intelligence, analysis, and defense to help inform and protect organizations. |
Cyber Risk Reports
Weekly strategic intelligence product that highlights current security activity and mid- to long-range perspectives, also available as a podcast.  |
Cisco IntelliShield Alerts
Up-to-the-minute, actionable intelligence, in-depth vulnerability analysis, and highly reliable threat validation to assist in proactive prevention. |
Cisco Applied Mitigation Bulletins
Techniques that use Cisco product abilities to detect and mitigate the most important security events and vulnerabilities. |
Virus Watch
Current virus trends from SenderBase © |
Spam Watch
Current spam trends from SenderBase © |
Security Multimedia Library
Podcasts, video datasheets, webcasts and videos with solutions for today's problems. |
Cisco Security Intelligence Operations Best Practices
Guidance on specific technologies and problem sets to help organizations secure business applications and processes by identifying, preventing, and adapting to threats. |
Cisco Security Services
Professional services to support your Self-Defending Network. |
Cisco Security Solutions
Discover the breadth of Cisco solutions available to solve your organization's security issues. |
Cisco Security Blog
Collaborate with the Cisco Security Community and gain insights into emerging security threats, trends, and best practices.
|
|
|
|
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Contacts | Feedback | Subscribe | Unsubscribe
Terms & Conditions | Privacy Statement | Trademarks of Cisco Systems Inc.
© 1992-2012 Cisco Systems Inc. All rights reserved.
|
|
|
