Sourcefire VRT Closes Vulnerability Exposure Gap

Just before the new year Microsoft released MS11-100, which addressed a denial-of-service (DOS) vulnerability affecting its own ASP.NET as well as several other web application programs. The vulnerability could consume a web server's entire CPU with a simple, low-bandwidth POST request. The Sourcefire Vulnerability Research Team (VRT) responded immediately, not only to help protect our own customers, but to help Microsoft with its response with vendor partners and its own customers.

We immediately created SIDs 20823 and 20824 in a Security Enhancement Update (SEU), and released this to Microsoft and our customers. Microsoft had initially created its own Snort rules but swapped those out for the ones we created for our commercial Next-Generation IPS signatures, to protect both their own properties and to share with their customers. From the Microsoft blog post on December 29, 2011:

"Sourcefire, while developing their IDS/IPS signature, has been kind enough to share their Snort rule with us and has given us permission both to use it in protecting Microsoft’s properties and also to share with customers. While the Snort rules we provided in the blog yesterday were effective in detecting the issue, Sourcefire's rules are more efficient… Thanks, Sourcefire team, for your help!"

As Alex Kirk noted in our initial VRT blog post, the details of this attack are complex and vary from platform to platform, but this is the type of complexity that Snort detections are most suited for, based on its flexible, defensive technology for dynamic environments.

We appreciate the thanks from Microsoft, but it’s also important to note that we do detections like this and Snort rule updates almost daily. The VRT also analyzes numerous public vulnerability feeds every day, looking for new threats, and acting on that information in real-time for the development of new detection content. In addition, industry partnerships like Microsoft Active Protection Program (MAPP) allow us to quickly and effectively handle new Microsoft and Adobe targeted threats, releasing our detection on the same day as Microsoft patches. This allows our customers to protect their critical assets with network and host-based protection, while they test and deploy these new patches. All of this helps close the exposure gap.

The Sourcefire VRT was founded on one core objective: "Protecting 'Your' Network." While this may sound simplistic, in reality it is quite complex. Every network is different—from the applications running on it, to the users who work on it, to the policies that govern it. This is why the Sourcefire VRT believes that in order to be effective in helping you protect "your" network, we have to be more than just a traditional response organization; we have to be a proactive member of your security ecosystem. We are pleased that we could do this for Microsoft, and even more pleased that we can keep helping customers in the face of today’s advanced threats.