Network Associates, Inc., the leading provider of intrusion prevention solutions, announced that it provides comprehensive system and network protection for the MS03-048, MS03-049, MS03-050 and MS03-051 vulnerabilities announced by Microsoft Corporation. The vulnerabilities have been reviewed by security research teams at McAfee(R) Security. Based on its findings, McAfee Security recommends that users confirm the Microsoft product versioning outlined below in the Microsoft bulletin to ensure protection and to update or deploy the solutions outlined.
These McAfee solutions include McAfee(R) VirusScan(R), McAfee(R) Entercept(TM), McAfee(R) IntruShield(R), McAfee(R) ThreatScan(R), McAfee(R) Desktop Firewall, Sniffer(R) Distributed, Sniffer(R) Portable, and Netasyst(TM) Network Analyzer to identify and block attempts to exploit the vulnerabilities disclosed by Microsoft.
Microsoft Vulnerabilities Overview
— MS03-048 — Cumulative Security Update for Internet Explorer (824145)
— MS03-049 — Buffer Overrun in the Workstation Service Could Allow Code
— MS03-050 — Vulnerability in Microsoft Word and Microsoft Excel Could
Allow Arbitrary Code to Run (831527)
— MS03-051 — Buffer Overrun in Microsoft FrontPage Server Extensions
Could Allow Code Execution (813360)
Scope of Potential Comprises
These vulnerabilities range in scope from allowing arbitrary code to be run on a users machine (MS03-048/49/50/51), causing a buffer-overflow/over-run (MS03-049/51), to a specially crafted XLS file that can bypass any security settings and allow the execution of any macro in the spreadsheet (MS03-050). In addition, a buffer overrun vulnerability in FrontPage Server Extension and another vulnerability in the SmartHTML Interpreter could lead to denial of service on the server running FrontPage Extension. More information can be found at http://vil.nai.com/vil/content/v_100817.htm and
McAfee Security Solutions
The McAfee AVERT DAT files, version 4303, will be posted on Wednesday, November 12, 2003 and will contain new signatures to detect certain MS03-048 exploits that may use the sample exploit code used to discover these threats. Extra.dats are available to those users who believe they are in need by sending email to firstname.lastname@example.org.
McAfee Entercept, by default, protects users against code execution for buffer overflow/overrun vulnerabilities that may be used against the MS03-049 and MS03-051 vulnerabilities. This protection functions whether or not the server has the latest security patch installed. McAfee IntruShield stops the MS03-049 and MS03-051 vulnerabilities, with 18.104.22.168 signature set or later and will receive alerts on attacks exploiting this vulnerability. McAfee IntruShield sensors deployed in in-line mode can be configured with a response action to drop such packets for preventing these attacks. McAfee Desktop Firewall stops the MS03-049 vulnerability by blocking UDP ports 138, 139, 445 and TCP ports 138, 139 and 445. Filters have been created for Sniffer Distributed, Sniffer Portable and the Netasyst Network Analyzer to alert network managers to the presence of
malicious traffic traveling in the network specific to these vulnerabilities and potential exploits. They can be found at http://vil.nai.com/vil/content/v_100817.htm .
McAfee Security recommends that users affected by the Microsoft vulnerabilities deploy the necessary patches and adhere to Microsoft’s security recommendations. Users affected by these specific vulnerabilities should update their systems with the necessary patch available on the Microsoft web site at http://www.microsoft.com/security/security_bulletins .