Endpoint Protection

Reports are out that 0-day exploit against IE is out and actively targeted. Any idea when Symantec will release an IPS signature for this? Microsoft's workarounds to 1) change ACLs on affected DLL break printing and 2) enabling DEP blowing up certain web-based apps. McAfee has a signature out, wondering if Symantec is not too far behind.
For the reference, http://www.microsoft.com/technet/security/advisory/981374.mspx has all the details.
Thanks! 

Its there

http://www.symantec.com/business/security_response/vulnerability.jsp?bid=38615

this is the latest IPS i can find inside the SEPM let me run liveupate and check it again

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23672

Rafeeq,
All I see is some general information of the attack, not the fact that signature is available. Do you have a signature number by any chance? We've tested with Metasploit and both SAV and SEP with up-to-date definitions for both AV and IPS let the exploit through and executed a payload.

Dimitri 

 this is the latest IPS i can find inside the SEPM let me run liveupate and check it again

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23672

Nope, that's not it. The one you're seeing is for this:
http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx 

correct Dimitri, still not able to find the fine one after running LU , not sure when that will be uploaded
lets wait to hear from Symantec :)  
LU Completed no new IPS sigs

Based on Metasploit attack signature, I created a custom IPS signature for SEP that blocks it. I have no idea if this will break any of your custom JavaScript apps, so use it at your own risk. Hopefully Symantec comes out with a legitimate IPS signature very soon but in the meantime this should block those unobfuscated attacks that were seen in the wild.

So, just to be clear.
IPS signature 23672 does not protect against MS advisory 981374?

MS Security Advisory:
http://www.microsoft.com/technet/security/advisory/981374.mspx

IPS:
http://www.symantec.com/en/sg/business/security_response/attacksignatures/detail.jsp?asid=23672

Symantec is pretty vauge in their description.

Mike

You are correct, IP signature 32672 does not protect against 0-day MS981374, it's for a different vulnerability altogether, I posted a link above that points to it.
As of now, SEP has no IPS signature to detect the MS981374 exploit, I even tried Rapid Release definitions that came out today.
Anyone from Symantec want to chime in as to when it will become available? 

UPDATE: Symantec updated their Generic Heap BO signature for IE (sid 22809) and is now blocking buffer overflow. Good job! 

I'm not seeing this ID number in my IPS defs. Am I missing something?
22809 that is.

Thanks,
Mike

Scratch that. Found it listed. Must have skipped right over it.

Mike

It looks like Microsoft will be releasing an out-of-band update for this issue today 3-30-2010.
Please see MS10-018. Just an FYI.

Mike