Forefront TMG – NIS Update for CVE-2011-3414

Hello folks and Happy New Year for you all !!

If you are running Forefront TMG 2010 and has NIS (Network Inspection System) enabled and updated, you probably notice a new signature that was released to assist you protecting against CVE-2011-3414 (part of MS11-100) as shown below:


Notice also that the response it is already setup to “Block” and it is already enabled. If you open the properties for this signature and review the Details tab you will see it is classified as a high business impact:


The good news is: if an attacker tries to exploit this vulnerability against a server that was not patched yet and the traffic is crossing TMG then NIS will identify the traffic and it will block it. Although you have this additional layer of protection to mitigate attempts to exploit this particular vulnerability, it is strongly recommended that you update your servers with MS11-100 as quick as possible (mainly the ones that are exposed to the Internet).

Stay Safe in 2012 and have a great year !

Comments (3)

  1. You're right, in version 10.95 (the one I used in the blog post) the default  setting for the  signature was set to Enabled / Block. In version 10.99 (the latest version available), the default setting has changed to Disabled / Detect Only. I'm still checking why such change was done….will post the results here once I find out.

    Thanks for following up.

  2. The change on 10.99 was:

    Signature classification changed from “Vulnerability” to “Policy”  to prevent this legitimate traffic from being blocked. New Policy signature information can be found at:…/NIS.aspx

    You can still change it to block if you want to.

  3. paul says:

    I found ours to be Disabled & Detect Only.  Our responses are set to microsoft defaults.  Version 10.99 released 12/30/2011.