[guru] Microsoft biztonsagi frissitesek
DATE: Mon, 01 Feb 2010 17:56:03 +0100
A Microsoft Windows NT #GP Trap kezelője hibás, 16 bites módban (DOS vagy
3.1 Windows alkalmazások) a kernel stack címe beállítható, így kernel módú
kód futtatás lehetséges. A Microsoft ezt a hibát a mai napig nem javította.
Több súlyos biztonsági hibát is találtak az Internet Explorer-ben, ezeket
az MS10-002 frissítés orvosolja.
--- Begin Message ---
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-------------------------------------------------------------------------
CVE-2010-0232
In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame once
authenticity has been verified.
This verification relies on the following incorrect assumptions:
- Setting up a VDM context requires SeTcbPrivilege.
- ring3 code cannot install arbitrary code segment selectors.
- ring3 code cannot forge a trap frame.
This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).
Working out the details of the attack is left as an exercise for the reader.
Just kidding, that was an homage to Derek Soeder :-)
- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.
Creating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order
to access the authenticated system service, NtVdmControl(). VdmAllowed can
only be set using NtSetInformationProcess(), which verifies the caller has
SeTcbPrivilege. If this is true, the caller is very privileged and can
certainly be trusted.
This restriction can be subverted by requesting the NTVDM subsystem, and then
using CreateRemoteThread() to execute in the context of the subsystem process,
which will already have this flag set.
- Assumption 1: ring3 code cannot install arbitrary code segment selectors.
Cpl is usually equal to the two least significant bits of cs and ss, and is
a simple way to calculate the privilege of a task. However, there is an
exception, Virtual-8086 mode.
Real mode uses a segmented addressing scheme in order to allow 16-bit
addresses to access the 20-bit address space. This is achieved by forming
physical addresses from a calculation like (cs << 4) + (eip & 0xffff). The
same calculation is used to map the segmented real address space onto the
protected linear address space in Virtual-8086 mode. Therefore, I must be
permitted to set cs to any value, and checks for disallowed or privileged
selectors can be bypassed (PsSetLdtEnties will reject any selector where any
of the three lower bits are unset, as is the case with the required cs pair).
- Assumption 2: ring3 code cannot forge a trap frame.
Returning to usermode with iret is a complicated operation, the pseudocode for
the iret instruction alone spans several pages of Intel's Software Developers
Manual. The operation occurs in two stages, a pre-commit stage and a
post-commit stage. Using the VdmContext installed using NtVdmControl(), an
invalid context can be created that causes iret to fail pre-commit, thus
forging a trap frame.
The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().
--------------------
Affected Software
------------------------
All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to
be affected, including but not limited to the following actively supported
versions:
- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
--------------------
Consequences
-----------------------
Upon successful exploitation, the kernel stack is switched to an attacker
specified address.
An attacker would trigger the vulnerability by setting up a specially
formed VDM_TIB in their TEB, using a code sequence like this:
/* ... */
// Magic CS required for exploitation
Tib.VdmContext.SegCs = 0x0B;
// Pointer to fake kernel stack
Tib.VdmContext.Esi = &KernelStack;
// Magic IP required for exploitation
Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;
NtCurrentTeb()->Reserved4[0] = &Tib;
/* ... */
Followed by
/* ... */
NtVdmControl(VdmStartExecution, NULL);
/* ... */
Which will reach the following code sequence via the #GP trap handler,
nt!KiTrap0D. Please note how the stack pointer is restored from the saved
(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition
described above.
/* ... */
.text:0043C3CE Ki386BiosCallReturnAddress proc near
.text:0043C3CE mov eax, large fs:KPCR.SelfPcr
.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]
.text:0043C3D7 mov edi, [edi]
.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]
.text:0043C3DC mov ecx, 84h
.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi
.text:0043C3E4 rep movsd
.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]
.text:0043C3E9 add esp, 4
.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]
.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi
.text:0043C3F5 mov eax, [eax+KPCR.TSS]
.text:0043C3F8 sub edi, 220h
.text:0043C3FE mov [eax+KTSS.Esp0], edi
.text:0043C401 pop edx
.text:0043C402 mov [ecx+KTHREAD.Teb], edx
.text:0043C405 pop edx
.text:0043C406 mov large fs:KPCR.NtTib.Self, edx
.text:0043C40D mov ebx, large fs:KPCR.GDT
.text:0043C414 mov [ebx+3Ah], dx
.text:0043C418 shr edx, 10h
.text:0043C41B mov byte ptr [ebx+3Ch], dl
.text:0043C41E mov [ebx+3Fh], dh
.text:0043C421 sti
.text:0043C422 pop edi
.text:0043C423 pop esi
.text:0043C424 pop ebx
.text:0043C425 pop ebp
.text:0043C426 retn 4
/* ... */
Possibly naive example code for triggering this condition is availble from the
link below.
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip
The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista
and Windows 7. Support for other affected operating systems is left as an
exercise for the interested reader.
-------------------
Mitigation
-----------------------
If you believe you may be affected, you should consider applying the workaround
described below.
Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack
from functioning, as without a process with VdmAllowed, it is not possible to
access NtVdmControl() (without SeTcbPrivilege, of course).
The policy template "Windows Components\Application Compatibility\Prevent
access to 16-bit applications" may be used within the group policy editor to
prevent unprivileged users from executing 16-bit applications. I'm informed
this is an officially supported machine configuration.
Administrators unfamiliar with group policy may find the videos below
instructive. Further information is available from the Windows Server
Group Policy Home
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.
To watch a demonstration of this policy being applied to a Windows Server 2003
domain controller, see the link below.
http://www.youtube.com/watch?v=XRVI4iQ2Nug
To watch a demonstration of this policy being applied to a Windows Server 2008
domain controller, see the link below.
http://www.youtube.com/watch?v=u8pfXW7crEQ
To watch a demonstration of this policy being applied to a shared but
unjoined Windows XP Professional machine, see the link below.
http://www.youtube.com/watch?v=u7Y6d-BVwxk
On Windows NT4, the following knowledgebase article explains how to disable the
NTVDM and WOWEXEC subsystems.
http://support.microsoft.com/kb/220159
Applying these configuration changes will temporarily prevent users from
accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.
If you do not require this feature and depend on NT security, consider
permanently disabling it in order to reduce kernel attack surface.
-------------------
Solution
-----------------------
Microsoft was informed about this vulnerability on 12-Jun-2009, and they
confirmed receipt of my report on 22-Jun-2009.
Regrettably, no official patch is currently available. As an effective and easy
to deploy workaround is available, I have concluded that it is in the best
interest of users to go ahead with the publication of this document without an
official patch. It should be noted that very few users rely on NT security, the
primary audience of this advisory is expected to be domain administrators and
security professionals.
-------------------
Credit
-----------------------
This bug was discovered by Tavis Ormandy.
-------------------
Greetz
-----------------------
Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,
ScaryBeasts, spender and all my other elite colleagues.
Check out some photography while at ring0 @ http://flickr.com/meder.
-------------------
References
-----------------------
Derek Soeder has previously reported some legendary NT bugs, including multiple
vdm bugs that, while unrelated to this issue, make fascinating reading.
- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation
- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation
- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation
-------------------
Appendix
-----------------------
SHA-1 checksum of KiTrap0D.zip follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo
x7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX
B5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn
TQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW
XtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx
ucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==
=LHU0
-----END PGP SIGNATURE-----
--
-------------------------------------
taviso@sdf.lonestar.org | finger me for my gpg key.
-------------------------------------------------------
--- End Message ---
--- Begin Message ---
ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-011
January 21, 2010
-- CVE ID:
CVE-2010-0244
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists when a Col element is used within an HTML table
container. If this element is removed while the table is in use a cache
that exists of the table's cells will be used after one of it's elements
has been invalidated. This can lead to code execution under the context
of the currently logged in user.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
-- Disclosure Timeline:
2009-07-14 - Vulnerability reported to vendor
2010-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* wushi of team509
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
--- End Message ---
--- Begin Message ---
ZDI-10-012: Microsoft Internet Explorer Baseline Tag Rendering Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-012
January 21, 2010
-- CVE ID:
CVE-2010-0246
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 7
Microsoft Internet Explorer 8
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9429.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that an
attacker must coerce a victim to visit a malicious page.
The specific flaw exists due to the application rendering intertwined
strike and center tags containing an element that manipulates the font
baseline such as 'sub' or 'sup'. When this element pointer is removed
the application will later dereference it even though it has been freed.
Successful exploitation can lead to arbitrary code execution under the
context of the currently logged in user.
-- Vendor Response:
Microsoft states:
http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
-- Disclosure Timeline:
2009-07-16 - Vulnerability reported to vendor
2010-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Sam Thomas of eshu.co.uk
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
--- End Message ---
--- Begin Message ---
ZDI-10-013: Microsoft Internet Explorer Table Layout Reuse Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-013
January 21, 2010
-- CVE ID:
CVE-2010-0245
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer 8
Microsoft Internet Explorer 7
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists when specific elements are used within a table
container. If one of these elements is removed the application will
unlink the element from the layout tree incorrectly. When this tree is
later traversed, the application will reuse the object that has been
freed which can lead to code execution under the context of the current
user.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
-- Disclosure Timeline:
2009-07-14 - Vulnerability reported to vendor
2010-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Sam Thomas of eshu.co.uk
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
--- End Message ---
--- Begin Message ---
ZDI-10-014: Microsoft Internet Explorer item Object Memory Corruption Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-014
January 21, 2010
-- CVE ID:
CVE-2010-0248
-- Affected Vendors:
Microsoft
-- Affected Products:
Microsoft Internet Explorer
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9427.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Internet Explorer. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page.
The specific flaw exists in the handling of cloned DOM objects in
JavaScript. A specially crafted sequence of object cloning can result in
the use of a pointer after it has been freed. Successful exploitation
can lead to remote system compromise under the credentials of the
currently logged in user.
-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx
-- Disclosure Timeline:
2009-08-14 - Vulnerability reported to vendor
2010-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Peter Vreugdenhil ( http://www.vreugdenhilresearch.nl )
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-021A
Microsoft Internet Explorer Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Internet Explorer
Overview
Microsoft has released out-of-band updates to address critical
vulnerabilities in Internet Explorer.
I. Description
Microsoft has released updates for multiple vulnerabilities in
Internet Explorer, including the vulnerability detailed in
Microsoft Security Advisory 979352 and US-CERT Vulnerability Note
VU#49251.
II. Impact
By convincing a user to view a specially crafted HTML document or
Microsoft Office document, an attacker may be able to execute
arbitrary code with the privileges of the user.
III. Solution
Apply updates
Microsoft has released updates to address these vulnerabilities.
Please see Microsoft Security Bulletin MS10-002 for more
information.
Apply workarounds
Microsoft has provided workarounds for some of the vulnerabilities
in MS10-002.
IV. References
* Microsoft Security Bulletin MS10-002 -
<http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx>
* Microsoft Security Advisory 979352 -
<http://www.microsoft.com/technet/security/advisory/979352.mspx>
* US-CERT Vulnerability Note VU#49251 -
<http://www.kb.cert.org/vuls/id/492515>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-021A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-021A Feedback VU#49251" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2010 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 21, 2010: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS1i9/C/E9ke+6HGsAQJdMQgA0HJlKy01j6rUpcpU9VHnGgPv56akxzac
YQIWL0n3ggsc6EKcDM6Nnes6+VXFuZyNuzw16S2sTSh13PLjRiAdEtM3a5k/TDrX
LdUEzipjYnXm0jn7EwGpoxNOHFI1fIaQhnQuWhM9S3Ri4lClROl0NZSAJnjIy7sU
UiTuIkN2x/nTmYwgVXX4bczRFStgcqkcv16BHIChXqHO/zOGK0ACO/b8oG0zIHPg
rEsvPy86M7v5LCNGGf6+H3bkcwjoWEOcPuXhpQkJT7BDWsz8F+kUCvCdMbbmTFzZ
d0cdSCKyS7Wo9iBGBmD8R84GIALwnTyRdr9QtiFlA4UWOScV/7JFQQ==
=L4w6
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Microsoft Internet Explorer Remote Memory Corruption Vulnerability
2010.January.21
Summary:
========
Fortinet's FortiGuard Labs has discovered a memory corruption vulnerability in Microsoft's Internet Explorer.
Impact:
=======
Remote Code Execution.
Risk:
=====
Critical
Affected Software:
==================
For a list of Internet Explorer versions affected, please see the Microsoft Security Advisory reference below.
Additional Information:
=======================
In order to compromise a system / remotely execute code, an attacker would lure a user to a maliciously crafted website. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
Solutions:
==========
Since an attack scenario would require a user to visit a malicious website, it is recommended to have a layered security solution through webfiltering and intrusion prevention for mitigation.
* Use the solution provided by Microsoft (MS10-002).
* FortiGuard Labs released the signature "MS.IE.MergeAttributes.Remote.Code.Execution".
o Advanced zero-day protection has been available since September 3, 2009.
FortiGuard Labs continues to monitor attacks against this vulnerability.
Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.
References:
===========
FortiGuard Advisory: http://www.fortiguard.com/advisory/FGA-2010-05.html
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
CVE ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0247
Acknowledgement:
================
Haifei Li of Fortinet's FortiGuard Labs
--- End Message ---