Security Advisories

October 15, 2010 - JavaScript detection improvements in active content transformation

Security Advisories ID:    SA48
Version:    12.0
Status:    Published
Published date:    10/01/2010
Updated:    09/06/2011
 

Advisory Status

Interim

Advisory Severity

Medium, CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE Number

No CVEs are associated with this vulnerability.

Summary

The Active Content Transformation or Removal feature of ProxySG does not detect JavaScript when encoded using hex and UTF-8 entities.  This allows an attacker to bypass the policy rules configured in ProxySG to deliver malicious content.

Affected Products

All versions of ProxySG prior to 6.1.2 are vulnerable.

Details

Malicious scripts are commonly encoded in web pages and run without a user's knowledge.  ProxySG can be configured to supplement virus scanning of Web content by detecting and removing the HTML tags that launch active content such as Java applets or scripts.  In addition the removed content can be replaced with predefined material, also called active content transformation.

ProxySG can detect three types of JavaScript active content:

  1. Anything within the <script></script> tags.
  2. JavaScript events within HTML attributes with onEventName names (e.g., onClick, onLoad).
  3. JavaScript within HTML attribute values using the javascript: URI scheme.

Vulnerable SGOS versions only detect these tags and attributes encoded in ASCII.  Tags and attributes encoded in other formats will elude detection.

SGOS has been fixed to provide better detection of JavaScript active content within an HTML document.  SGOS will now detect tags and attributes encoded using hex and UTF-8 entities, and when formatting characters such as newlines and tabs are used.  This update will allow ProxySG to remove or replace more instances of JavaScript that had previously not been detected.

Workarounds

Malicious active content is difficult to distinguish from legitimate active content.  ProxySG active content transformation and removal is designed to supplement WebPulse, virus scanners, and browser protections that detect and prevent malicious active content.  Customers are encouraged to employ multiple layers of protection to achieve the best results.

Patches

ProxySG 6.1 - a fix is available in SGOS 6.1.2.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/5351.

ProxySG 5.5 - a fix is available in SGOS 5.5.4.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41 .

ProxySG 5.4 - a fix is available in SGOS 5.4.5.1.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/17.

ProxySG 5.3 - please upgrade to a later version.

ProxySG 4.3 - a interim fix is available in SGOS 4.3.4.2 patch release.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/patch/77887199809178137864777273807520.

For information on how to upgrade SGOS, please see KB3608.

Advisory History

2011-05-25 Notification of fix in a patch release of ProxySG version 4.3.4.2.

2011-04-26 Minor update to clarify vulnerable versions.

2011-02-17 Notification of fix in ProxySG version 6.1.2.1.  Added the fix for SGOS 5.5.4.1.  Added link to KB3608.

2010-10-27 Notification of ProxySG version 5.4.5.1 patch release being promoted to GA release.

2010-10-15 Initial public release.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question