HighIBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature checks NTLMSSP negotiations for an identical challenge sent back to the original client. This can result in the attacker using the client's credentials to access the client host.
IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: A false positive is known to exist when NTLM negotiation occurs through a proxy server. This will manifest itself specifically when the protocol is HTTP.
High
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.300.2380, IBM Security Server Protection for Windows: 1.0.914.2380, Proventia Network IDS: XPU 29.040, Proventia-G 1.1 and earlier: XPU 29.040, Proventia Network MFS: XPU 29.040, RealSecure Server Sensor: XPU 29.040, RealSecure Network: XPU 29.040, Proventia Network IPS: XPU 29.040, Proventia Desktop: 2380, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.040
Microsoft Internet Explorer: 6.0, Microsoft Internet Explorer: 6.0 SP1, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Internet Explorer: 7.0, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Internet Explorer: 5.0.1 SP4, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3
Unauthorized Access Attempt
Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of NTLM credentials by WinINet. By persuading a victim to visit a specially-crafted Web site using Internet Explorer, a remote attacker could reflect the victim's credentials back to the attacker and execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
For other distributions:
Apply the appropriate update for your system. See References.
Microsoft Security Bulletin MS09-014
Cumulative Security Update for Internet Explorer (963027)
http://www.microsoft.com/technet/security/bulletin/ms09-014.mspx
Microsoft Security Bulletin MS09-013
Vulnerabilities in Windows HTTP services could allow Remote Code Execution (960803)
http://www.microsoft.com/technet/security/bulletin/ms09-013.mspx
NORTEL BULLETIN ID: 2009009451, Rev 1
Nortel Response to Microsoft Security Bulletin MS09-014
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=871138&poid=
Microsoft Security Bulletin MS09-014
Cumulative Security Update for Internet Explorer (963027)
http://www.microsoft.com/technet/security/bulletin/ms09-014.mspx
ISS X-Force
Microsoft Internet Explorer WinINet code execution
http://www.iss.net/security_center/static/49549.php
CVE
CVE-2009-0550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0550