http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published

http://www.symantec.com/business/security_response...

http://www.symantec.com/business/security_response...

These IPS defs have been released and its there in your IPS defs.
If you edit your IPS policy and go to exceptions and click add then you'll see them
SID 22809 and 23379

Thanks for trying to help. Yes I already did that and verified that the first two signatures were there and set up for blocking. I'm specifically referreing to the third signature they mentioned: "HTTP IE Style Heap Spray BO" . It's not there as far as I can tell. I'm trying to find out when it will be released.

But no need to take action unless you need/want to do something other than the default, which for these is block and log.
You only need to "add" them if you wish to unblock or not log or take something other than the default action.
Ususally they come with ok defaults, but in some cases, you may need/want to change things.
Example, certain file sharing software activity is allowed by default, but if you highlight and choose "add" then you can choose to BLOCK instead of allow.

These additions for this threat, however, are already set appropriately, so you only need to choose the above actions to "see" them in the list, no need to actually "add" them.

Yes 22809 is it. Worded slightly different but that's it from what I gather.

HTTP Microsoft IE Generic Heap Spray BO
or
HTTP IE Style Heap Spray BO

Wow.  ShadowPapa, I didn't try to add an exception. I was verifying that the signatures were there and set up to block. Thanks again for trying to help. But you guys are telling me stuff I already know and not what I asked for. Can someone from Symantec please respond with a date for which the third signature will be released from QA and available in the IPS Def updates?

Thank You

I'm starting to get scared you guys are listed as Trusted Advisors. That is not the same signature. There are 3 unique signatures listed in that blog posting.

 http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=sep

I dint find the signature in the last three IPs def release so it might have been creased but will be released in the next IPS defs release..

I'll elaborate...........

>>Symantec currently detects the exploit with the Bloodhound.Exploit.129 antivirus signature <<

Already generically detected by the AV signature

>>Symantec IPS protection also currently detects this exploit with signatures HTTP Microsoft IE Generic Heap Spray BO and HTTP Malicious Javascript Heap Spray BO. <<

Indicating it ALREADY detects with the above two PLUS the generic detection in the AV signatures, meaning it detects the whole shooting matchin with the AV generic detection, PLUS via IPS with specific definitions for those two, and....................

>>A new IPS signature, HTTP IE Style Heap Spray BO, has also been created for this specific exploit<<

Will DOUBLE-UP on the generic AV detection already in place with another - a third, IPS signature. Coming soon to an update near you, although the AV sigs already have it covered.

So, according to the BLOG, you are already covered for all via generic AV signature detection, and specifically with the IPS sigs, and will soon have the third.

I'm not going to worry as I read that as already covered by the AV, and soon to have a specific coverage for the 3rd that the 2 IPS specifics don't currently cover.  I've got too many years in this to believe it's not already taken care of.................. been doing this since roughly 1993 or so? I forgot how many years! Well, since NAV 2.0, figure the math........... and since Symantec first bought Central Point and was on CIS and not the "web".

 I agree to ShadowsPapa and as you see last def was released on 12th Nov and the Article is from 20th Nov. So this signature should be added in the next IPS def release.

I can't believe they didn't release this in the 11/30 IPS update. I hope they do soon, as well as protection for this newer exploit in metasploit

http://www.networkworld.com/news/2009/112509-attac...