HighProventia Desktop, Proventia Network IPS, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network MFS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature looks for search-ms URI with invalid parameters.
High
Proventia Desktop: 2330, Proventia Network IPS: XPU 28.190, BlackICE PC Protection: 3.6crm, RealSecure Network: XPU 28.190, RealSecure Server Sensor: XPU 28.190, Proventia-G 1.1 and earlier: XPU 28.190, Proventia Network IDS: XPU 28.190, IBM Security Server Protection for Windows: 1.0.914.2330, IBM Security Server Protection for Windows: 2.0.300.2330, BlackICE Server Protection: 3.6.crm, Proventia Network MFS: XPU 28.190, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 28.190, Virtual Server Protection for Vmware: 1.0
Microsoft Windows Vista, Microsoft Windows Vista: x64, HP Storage Management Appliance: 2.1, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64
Unauthorized Access Attempt
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by the improper validation of parameters when parsing the search-ms protocol. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the sytem with the privileges of the victim.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-075. See References.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS08-075
Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
http://www.microsoft.com/technet/security/bulletin/ms08-075.mspx
IBM Internet Security Systems Protection Alert December 9, 2008
Microsoft Windows search-ms protocol code execution
http://www.iss.net/threats/316.html
HPSBST02394 SSRT080183 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-070 to MS08-077
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01632189&jumpid=reg_R1002_USEN
ISS X-Force
Microsoft Windows search-ms protocol code execution
http://www.iss.net/security_center/static/46866.php
CVE
CVE-2008-4269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4269