Chicago Security User Group

 View Only

  • 1.  Is IPS protecting against Shockwave vulnerability APSB10-12?

    Posted May 13, 2010 03:09 PM
    Adobe recently released an update to address multiple issues/vulnerabilities in their Shockwave player.  I tried to find information on the ThreatCon pages to see if IPS will help protect against these vulnerabilities if you don't upgrade to the latest version of Shockwave, but was unable to find anything.

    Does anyone know if SEP/IPS will protect against these holes?  And if so, where do you find that information?

    Thanks,

    Randy


  • 2.  RE: Is IPS protecting against Shockwave vulnerability APSB10-12?
    Best Answer

    Posted May 14, 2010 05:02 AM
    Hi Randall,

    Here's the Adobe vulnerability that you are referring to: http://www.adobe.com/support/security/bulletins/apsb10-12.html   There's a link to a latest, invulnerable version 11.5.7.609 from that page.

    The details on SEP's latest Security Updates (SU's) can be found at http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=sep - there's a write-up for each signature (for example, http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20091)  Those write-ups include the corresponding vulnerability's reference number.  A search of Symantec's site for those reference numbers will return the signatures or definitions which provide protection.

    There are countless vulnerabilities discovered every year.  Symantec maintains a partial list at http://www.symantec.com/business/security_response/threatexplorer/vulnerabilities.jsp and a write-up fro some of them- (http://www.symantec.com/business/security_response/vulnerability.jsp?bid=39927 for example).  It would not be possible to create AV and IPS defences against every one- nor is it practical or necessary, if the vendor swiftly comes up with a new and invulnerable release of the software, as Adobe has done in this case.  For many that are being seen to be exploited in the wild, defences are created and distributed via LiveUpdate.

    Please let the forum know if this info is helpful and answers your question.  In the meantime, I recommend upgrading Shockwave... I know I have!  :)

    Thanks and best regards,

    Mick



  • 3.  RE: Is IPS protecting against Shockwave vulnerability APSB10-12?

    Posted May 14, 2010 06:10 PM

    So are you saying that since Adobe has an update for their Shockwave player, Symantec does not attempt to detect any malicious code that may be trying to use the holes in the previous version of Shockwave?



  • 4.  RE: Is IPS protecting against Shockwave vulnerability APSB10-12?

    Posted May 14, 2010 06:45 PM
    Absolutely. We certainly wish we could protect every known vulnerability... but there's just to many of them and most of them aren't being exploited. So, as a compromise, we focus on the vulnerabilities that are being actively exploited by threats.

    Ultimately, it's up to the vendor and the end user to maintain the 3rd party software. SEP and IPS is like a bandaid on a wound before you have the doctor look at it... it's temporary and good enough in the mean time. But IPS should never be considerred a substitute for the real solution: fixing the code. Real solutions can only be patched by the vendor and installed by the end users.


  • 5.  RE: Is IPS protecting against Shockwave vulnerability APSB10-12?

    Posted May 17, 2010 03:32 AM

    Hi
    You can see all the IPS signiture on your server from this location:
    on SEPM console go to: Policies> Intrusion Prevention > edit a policy and then go to exeptions menu. the you can see the whole list if you click add button.