Endpoint Protection

Hi Everyone,

Do we know if Symantec is working on an IPS signature for this new zero-day threat?

VBScript Exploit:
http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

It looks like Microsoft is still investigating the error.

Mike

Hi Postechgeek,

Symantec is aware of this item and is investigating.  Unfortunately, there is no additional infiormation that can be revealed at present.  

Thanks and best regards,

Mick

Great, thanks for the info. I apperciate it.

Mike

Any updates on this?

None yet, keep watching the Security Response page for updates.

http://www.symantec.com/business/security_response/threatexplorer/index.jsp

You might just want to create an application control rule, blocking winhlp32.exe from loading *.hlp files from a network share.

MS have released a new post about this: Security Advisory 981169 Released

The Security Advisory itself: Microsoft Security Advisory (981169)

The only thing that I can say at present is that Symantec is aware of the issue and investigating. 

Thanks and best regards,

Mick

Any Updates?

I have been watching this topic, too.

As soon as more information is made public, I will create a link to it from this thread.

Thanks and best regards,

Mick

It looks like Symantec has posted an IPS def for this issue.

ID: 23662
http://www.symantec.com/en/sg/business/security_response/attacksignatures/detail.jsp?asid=23662

Posted yesterday 3-10-2010. The NTP def date should be 3-10-2010 rev1.

Mike

IPS protection against the Microsoft Internet Explorer 'winhlp32.exe' 'MsgBox()' Remote Code Execution Vulnerability (Bugtraq ID:  38463) is now available to SEP IPS users.  Run LiveUpdate to download the latest Network Threat Protection updates, and be sure that the 23662 attack signature is enabled. 

See HTTP IE VBScript RCE for more details!

Thanks and best regards,

Mick