Microsoft Malware Protection Engine data structure denial of service (PE_MS_Protection_Engine_DoS)

About this signature or vulnerability

RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology:

This signature detects a malformed document that may DoS vulnerable versions of MS Protection Engine.


Default risk level

Low risk vulnerability  Low

Sensors that have this signature

RealSecure Server Sensor: XPU 28.060, RealSecure Network: XPU 28.060, BlackICE PC Protection: 3.6cqz, BlackICE Server Protection: 3.6.cqz, Proventia Server IPS for Linux technology: 28.060, Proventia Desktop: 2200, Proventia Network IPS: XPU 28.060, Proventia-G 1.1 and earlier: XPU 28.060, Proventia Network MFS: XPU 28.060, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2200

Systems affected

Microsoft Antigen for Exchange, Microsoft Windows Defender, Microsoft Antigen for SMTP Gateway, Microsoft Windows Live OneCare, Microsoft Forefront Client Security, Microsoft Forefront Security for Exchange Server, Microsoft Forefront Security for SharePoint, Microsoft Standalone System Sweeper located in Diagnostics and Recovery Toolset: 6.0

Type

Denial of Service

Vulnerability description

Microsoft Malware Protection Engine is vulnerable to a denial of service, caused by improper validation of certain data structures when parsing files. By persuading a victim to scan a specially-crafted file using the Microsoft Malware Protection Engine, a remote attacker could cause large temporary files to be created and consume all available disk resources. An attacker could exploit this vulnerability by hosting the malicious file on a Web site or sending the file as an email attachment.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-029. See References.

References

Microsoft Security Bulletin MS08-029
Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)
http://www.microsoft.com/technet/security/bulletin/ms08-029.mspx

HPSBST02336 SSRT080071 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-026 to MS08-029
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01460710

ISS X-Force
Microsoft Malware Protection Engine data structure denial of service
http://www.iss.net/security_center/static/42108.php

CVE
CVE-2008-1438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1438