Check Point Advisories

Microsoft PowerPoint DLL Planting Code Execution (MS10-087; CVE-2010-3337)

Vulnerability
Protection

Check Point Reference:	CPAI-2010-311
Date Published:	9 Nov 2010
Severity:	Critical
Last Updated:	Tuesday 09 November, 2010
Source:
Industry Reference:	CVE-2010-3337
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	Microsoft Office is an office suite of inter-related desktop applications, servers and services for the Microsoft Windows and Mac OS X operating systems. A memory corruption vulnerability has been identified in the way that Microsoft Office handles the loading of DLL files. This vulnerability requires a user to open an Office document contained within the same working directory as a specially crafted DLL file. . When the user opens the Office file the specially crafted DLL file, which is contained in the same directory as the Office file, will be loaded. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system.

Protection Overview

This protection will detect and block the transferring of the vulnerable DLL over HTTP, SMB, and NetBios.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft PowerPoint DLL Planting Code Execution (MS10-087) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Content Protection Violation.
Attack Information: Microsoft PowerPoint DLL planting code execution (MS10-087)