[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Tue Feb 13 17:45:07 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire Vulnerability Research Team (VRT) is aware of multiple
vulnerabilities affecting Microsoft products.


Details:
Microsoft Security Bulletin MS07-005:
Step-by-Step Interactive Training contains a remotely exploitable
vulnerability that may allow an attacker to execute code on a
vulnerable system.

Rules to detect attacks targeting this vulnerability were released on
September 29, 2005 and are identified as SIDs 4195 and 4196.

Microsoft Security Bulletin MS07-008:
A vulnerability exists in the HTML Help ActiveX control that may allow
a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability were released on
August 9, 2006 and are identified as SIDs 7439 and 7440.

Microsoft Security Bulletin MS07-009:
A vulnerability exists in the Microsoft Data Access Components (MDAC)
ActiveX control that may allow a remote attacker to execute code on a
vulnerable system.

A rule to detect attacks targeting this vulnerability was released on
September 1, 2006 and is identified as SID 7866.

Microsoft Security Bulletin MS07-016:
Multiple vulnerabilities exist in Internet Explorer that may allow a
remote attacker to execute code on a vulnerable system. The problems
lie in how Internet Explorer handles COM objects and how the
application handles FTP server responses.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified as SIDs 10137 through 10155.

Microsoft Security Bulletin MS07-014:
A vulnerability in Microsoft Word exists that may allow an attacker to
execute code on an affected host using a specially crafted Word
document.

Microsoft documents that exhibit vulnerable characteristics can be
identified using the OfficeCat tool.

Microsoft Security Bulletin MS07-015:
Microsoft Excel contains a programming error that may allow an attacker
to execute code on an affected host using a specially crafted Excel
file.

Microsoft documents that exhibit vulnerable characteristics can be
identified using the OfficeCat tool.



New rules:
10137 <-> WEB-CLIENT Microsoft Input Method Editor ActiveX clsid access
(web-client.rules)
10138 <-> WEB-CLIENT Microsoft Input Method Editor ActiveX clsid
unicode access (web-client.rules)
10139 <-> WEB-CLIENT Microsoft Input Method Editor ActiveX function
call access (web-client.rules)
10140 <-> WEB-CLIENT Microsoft Input Method Editor 2 ActiveX clsid
access (web-client.rules)
10141 <-> WEB-CLIENT Microsoft Input Method Editor 2 ActiveX clsid
unicode access (web-client.rules)
10142 <-> WEB-CLIENT LexRefBilingualTextContext ActiveX clsid access
(web-client.rules)
10143 <-> WEB-CLIENT LexRefBilingualTextContext ActiveX clsid unicode
access (web-client.rules)
10144 <-> WEB-CLIENT LexRefBilingualTextContext ActiveX function call
access (web-client.rules)
10145 <-> WEB-CLIENT HTML Inline Sound Control ActiveX clsid access
(web-client.rules)
10146 <-> WEB-CLIENT HTML Inline Sound Control ActiveX clsid unicode
access (web-client.rules)
10147 <-> WEB-CLIENT HTML Inline Sound Control ActiveX function call
access (web-client.rules)
10148 <-> WEB-CLIENT HTML Inline Movie Control ActiveX clsid access
(web-client.rules)
10149 <-> WEB-CLIENT HTML Inline Movie Control ActiveX clsid unicode
access (web-client.rules)
10150 <-> WEB-CLIENT HTML Inline Movie Control ActiveX function call
access (web-client.rules)
10151 <-> WEB-CLIENT BlnSetUser Proxy ActiveX clsid access
(web-client.rules)
10152 <-> WEB-CLIENT BlnSetUser Proxy ActiveX clsid unicode access
(web-client.rules)
10153 <-> WEB-CLIENT BlnSetUser Proxy ActiveX function call access
(web-client.rules)
10154 <-> WEB-CLIENT BlnSetUser Proxy 2 ActiveX clsid access
(web-client.rules)
10155 <-> WEB-CLIENT BlnSetUser Proxy 2 ActiveX clsid unicode access
(web-client.rules)

Updated rules:
4195 <-> WEB-CLIENT multipacket CBO CBL CBM file transfer attempt
(web-client.rules)
4196 <-> WEB-CLIENT CBO CBL CBM file transfer attempt
(web-client.rules)
7439 <-> WEB-CLIENT HTML Help ActiveX clsid access (web-client.rules)
7440 <-> WEB-CLIENT HTML Help ActiveX clsid unicode access
(web-client.rules)
7866 <-> WEB-CLIENT ADODB.Connection ActiveX clsid access
(web-client.rules)
7867 <-> WEB-CLIENT ADODB.Connection ActiveX clsid unicode access
(web-client.rules)
9640 <-> WEB-CLIENT ADODB.Connection ActiveX function call access
(web-client.rules)
10132 <-> RPC portmap BrightStor ARCserve denial of service attempt
(rpc.rules)
10133 <-> RPC portmap BrightStor ARCserve denial of service attempt
(rpc.rules)
10136 <-> TELNET Solaris login environment variable authentication
bypass attempt (telnet.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF0j9zMpm0ve0NhMcRAuzZAJ95DxtwMko2EFCKk8l+BKLNJXzHRQCcCCF8
e83p+wMbzsT5TRykm/183k0=
=RVdf
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list