Network Security Signature Sets Release Bulletin (7.5.11.4)

最終更新日: 2012/04/10　（US時間）

The following Network Security Signature Sets became available on the McAfee Downloads server on 04-10-2012:

(7.5.11.4)

McAfee recommends the following:

Upgrade to the latest version of the IntruShield Manager (KB55448). 
Download the latest signature set from the Update Server to the Manager. 
NOTE: Upgrades are available online from the McAfee Download Server: http://www.mcafee.com/us/downloads/downloads.aspx. 
To verify the appropriate license for upgrading, a GRANT number is required.

Version
7.5.11.4

This set contains many signature updates, protocol updates, and new signatures for I-Series.

Attacks Added (11):
MEDIUM - HTTP: Adobe Flash player NetStream Remote Code Execution (0x402ba700):Exploit: 
This alert indicates an attempt to exploit a memory corruption vulnerability in
Adobe Flash player NetStream class. This alert requires the HTTP response
feature to be enabled. This attack will not be detected if HTTP response option
is disabled.

MEDIUM - HTTP: Adobe Reader Javascript Remote Code Execution (0x402bb500):Exploit: 
This alert indicates an attempt to exploit a vulnerability present in Adobe
Acrobat Reader javascript. This alert requires the HTTP response feature to be
enabled. This attack will not be detected if HTTP response option is disabled.

MEDIUM - HTTP: Microsoft Office WPS Converter Heap Overflow Vulnerability (0x402bac00):Exploit: 
This alert indicates an attempt to exploit a Heap Overflow vulnerability in WPS
converter of Microsoft Office. This alert requires the HTTP response feature to
be enabled. This attack will not be detected if HTTP response option is
disabled.

MEDIUM - HTTP: Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability (0x402bad00):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in MSCOMCTL ActiveX Control. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Microsoft OnReadyStateChange Remote Code Execution Vulnerability (0x402bae00):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in Microsoft Internet Explorer. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Microsoft SelectAll Remote Code Execution Vulnerability (0x402baf00):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in Microsoft Internet Explorer. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Microsoft VML Remote Code Execution Vulnerability (0x402bb000):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in Vector Graphics rendering engine of Microsoft Internet
Explorer. This alert requires the HTTP response feature to be enabled. This
attack will not be detected if HTTP response option is disabled.

MEDIUM - HTTP: Microsoft WinVerifyTrust Signature Validations Vulnerability (0x402bb100):Exploit: 
This alert indicates an attempt to exploit a vulnerability in Windows
Authenticode Signature Verification Function. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Micorosft .Net Framework Parameter validation Vulnerability (0x402bb200):Exploit: 
This alert indicates an attempt to exploit a Vulnerability in Windows. This
alert requires the HTTP response feature to be enabled. This attack will not be
detected if HTTP response option is disabled.

MEDIUM - HTTP: Adobe Reader True Type Font remote code execution (0x402bb400):Exploit: 
This alert indicates an attempt to exploit a vulnerability present in True Type
Font rendering of Adobe Acrobat Reader. This alert requires the HTTP response
feature to be enabled. This attack will not be detected if HTTP response option
is disabled.

INFO - HTTP: Adobe Flash player URL Domain Check Remote Code Execution (0x402ba800):PolicyViolation: 
This alert indicates an attempt to exploit a memory corruption vulnerability in
Adobe Flash player URL security domain checking.

Attacks Modified (8):
HIGH - RDP: Microsoft Remote Desktop Protocol Remote Code Execution II (0x47900600):Exploit:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Generic I (0x40235100):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Online Trade II (0x40234100):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Online Trade I (0x40234000):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Financial Institution I (0x40233600):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Online Trade III (0x40234200):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Financial Institution VI (0x40233b00):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: ColdFusion sourcewindow File Disclosure (0x4020c300):Exploit:
Documentation change. 

Attacks Removed (0):
None

Protocols Added (0):
None

Protocols Modified (1):
rdp

Protocols Removed (0):
None

This set contains many signature updates, protocol updates, and new signatures for M-Series.

Attacks Added (0):
None

Attacks Added (12):
MEDIUM - HTTP: Adobe Flash player NetStream Remote Code Execution (0x402ba700):Exploit: 
This alert indicates an attempt to exploit a memory corruption vulnerability in
Adobe Flash player NetStream class. This alert requires the HTTP response
feature to be enabled. This attack will not be detected if HTTP response option
is disabled.

MEDIUM - HTTP: Adobe Reader Javascript Remote Code Execution (0x402bb500):Exploit: 
This alert indicates an attempt to exploit a vulnerability present in Adobe
Acrobat Reader javascript. This alert requires the HTTP response feature to be
enabled. This attack will not be detected if HTTP response option is disabled.

MEDIUM - HTTP: Microsoft Office WPS Converter Heap Overflow Vulnerability (0x402bac00):Exploit: 
This alert indicates an attempt to exploit a Heap Overflow vulnerability in WPS
converter of Microsoft Office. This alert requires the HTTP response feature to
be enabled. This attack will not be detected if HTTP response option is
disabled.

MEDIUM - HTTP: Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability (0x402bad00):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in MSCOMCTL ActiveX Control. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Microsoft OnReadyStateChange Remote Code Execution Vulnerability (0x402bae00):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in Microsoft Internet Explorer. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Microsoft SelectAll Remote Code Execution Vulnerability (0x402baf00):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in Microsoft Internet Explorer. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Microsoft VML Remote Code Execution Vulnerability (0x402bb000):Exploit: 
This alert indicates an attempt to exploit a Remote Code Execution
Vulnerability in Vector Graphics rendering engine of Microsoft Internet
Explorer. This alert requires the HTTP response feature to be enabled. This
attack will not be detected if HTTP response option is disabled.

MEDIUM - HTTP: Microsoft WinVerifyTrust Signature Validations Vulnerability (0x402bb100):Exploit: 
This alert indicates an attempt to exploit a vulnerability in Windows
Authenticode Signature Verification Function. This alert requires the HTTP
response feature to be enabled. This attack will not be detected if HTTP
response option is disabled.

MEDIUM - HTTP: Micorosft .Net Framework Parameter validation Vulnerability (0x402bb200):Exploit: 
This alert indicates an attempt to exploit a Vulnerability in Windows. This
alert requires the HTTP response feature to be enabled. This attack will not be
detected if HTTP response option is disabled.

MEDIUM - HTTP: JRE Sandbox Object Deserialization Vulnerability (0x402bb300):Exploit: 
This alert indicates an attempt to exploit a Vulnerability in Object
Deserialization in JRE sandbox mechanism. This alert is for M-Series sensors
only. This alert requires the HTTP response feature to be enabled. This attack
will not be detected if HTTP response option is disabled.

MEDIUM - HTTP: Adobe Reader True Type Font remote code execution (0x402bb400):Exploit: 
This alert indicates an attempt to exploit a vulnerability present in True Type
Font rendering of Adobe Acrobat Reader. This alert requires the HTTP response
feature to be enabled. This attack will not be detected if HTTP response option
is disabled.

INFO - HTTP: Adobe Flash player URL Domain Check Remote Code Execution (0x402ba800):PolicyViolation: 
This alert indicates an attempt to exploit a memory corruption vulnerability in
Adobe Flash player URL security domain checking.

Attacks Modified (13):
HIGH - HTTP: SHOUTcast Filename Format String Vulnerability (0x40236b00):Exploit:
Documentation change. This alert is for M-Series sensors only. 

HIGH - RDP: Microsoft Remote Desktop Protocol Remote Code Execution II (0x47900600):Exploit:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: ocPortal Arbitrary File Inclusion Vulnerability (0x40221f00):Exploit:
Documentation change. This alert is for M-Series sensors only. 

MEDIUM - HTTP: BigBrother Access Validation Error (0x40207700):Exploit:
Signature change to improve detection accuracy and/or performance. This alert is for M-Series sensors only. 

MEDIUM - HTTP: Phishing Attempt for Generic I (0x40235100):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Online Trade II (0x40234100):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Online Trade I (0x40234000):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Financial Institution I (0x40233600):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Online Trade III (0x40234200):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: Phishing Attempt for Financial Institution VI (0x40233b00):PolicyViolation:
Signature change to improve detection accuracy and/or performance. 

MEDIUM - HTTP: checklogin.php Execute Command (0x40212d00):Exploit:
Documentation change. This alert is for M-Series sensors only. 

MEDIUM - HTTP: ColdFusion sourcewindow File Disclosure (0x4020c300):Exploit:
Documentation change. 

LOW - HTTP: htmlscript Retrieve Infomation (0x40201e00):Exploit:
Documentation change. This alert is for M-Series sensors only. 

Attacks Removed (0):
None

Protocols Added (0):
None

Protocols Modified (1):
rdp

Protocols Removed (0):
None


NOTE:

For attacks requiring HTTP Response settings see article KB50726.