Suspicious JavaScript Tokens (JavaScript_Obfuscation_Fre)

About this signature or vulnerability

IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects a suspicious-looking sequence of JavaScript tokens employed in code obfuscation.


False positives

IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: It is not possible to determine if the code that triggers this event is malicious, it may be well-formed obfuscated code designed to hide intellectual property.

Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.300.2400, IBM Security Server Protection for Windows: 1.0.914.2400, Proventia Network IDS: XPU 29.060, Proventia-G 1.1 and earlier: XPU 29.060, Proventia Network MFS: XPU 29.060, RealSecure Server Sensor: XPU 29.060, RealSecure Network: XPU 29.060, Proventia Network IPS: XPU 29.060, Proventia Desktop: 2400, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.060

Systems affected

Microsoft Windows XP, Microsoft Windows 2000: SP4, Microsoft Windows 2003

Type

Suspicious Activity

Vulnerability description

Microsoft DirectX could allow a remote attacker to execute arbitrary code on the system, caused by a NULL byte overwrite vulnerability in quartz.dll. By persuading a victim to open a specially-crafted QuickTime media file, a remote attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

ISS X-Force
Suspicious JavaScript Tokens
http://www.iss.net/security_center/static/51587.php

CVE
CVE-2009-1537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1537