Forefront TMG Network Inspection System Gets Its First 0-Day Signature Release

When we started developing the Network Inspection System (NIS) technology, we faced many challenges typical for an engineering project; can we meet our performance requirements for an inline system? Will our design be robust and flexible enough to address the ever-changing threats landscape? But more than anything, we couldn’t wait to see NIS in action, waiting for that 0-day to surface and see the immediate value the technology brings to Forefront TMG and our customers.

Well, this week it happened. A remote code execution vulnerability that exists in the way that Microsoft Server Message Block 2 (SMB2) Protocol parses SMB negotiation requests surfaced and immediately became a candidate for a NIS signature. As described by the Microsoft Security Response Center (MSRC) advisory  the severity of the vulnerability is critical and the potential damage from an exploit of the vulnerability is significant, which emphasized the need for a technology such as NIS for our customers.

In a matter of hours we completed root-cause analysis, signature development, testing and publishing of a new signature snapshot. During this process, which is driven by the Microsoft Malware Protection Center (MMPC), the team was able to demonstrate the agility of the core NIS technology and exercise the technologies and tools built over time to release a signature for the Vuln:Win/SMB2.Srv2.DoS!2009-3103 vulnerability in just a few hours.

Avi Ben-Menahem

Group Manager, Network Inspection System