Talos Rules 2015-08-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-079: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35473 through 35482, 35487 through 35488, 35493 through 35494, and 35507 through 35508.

Microsoft Security Bulletin MS15-080: A coding deficiency exists in a Microsoft Graphics Component that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35483 through 35486, 35489 through 35492, 35495 through 35498, 35513 through 35520, 35523 through 35526, and 35529 through 35530.

Microsoft Security Bulletin MS15-081: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35501 through 35506, 35509 through 35512, 35521 through 35522, and 35527 through 35528.

Microsoft Security Bulletin MS15-090: A coding deficiency exists in Microsoft Windows that may lead to escalation of privilege.

Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 35139 through 35140.

Microsoft Security Bulletin MS15-091: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35499 through 35500.

Talos has also added and modified multiple rules in the browser-ie, file-office, file-other and policy-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-08-11 15:55:16 UTC

Snort Subscriber Rules Update

Date: 2015-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35499 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35500 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35497 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35498 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35496 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35495 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35492 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35493 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35490 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35491 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35488 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35489 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35486 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35487 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35485 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35484 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35482 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35483 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35481 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35476 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35530 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35529 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35526 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35525 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)
 * 1:35515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35509 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35510 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)
 * 1:35518 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35517 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)
 * 1:35516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35522 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)

Modified Rules:


 * 1:35139 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35140 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)

2015-08-11 15:55:16 UTC

Snort Subscriber Rules Update

Date: 2015-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35526 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35525 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)
 * 1:35521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35529 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35530 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)
 * 1:35475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35476 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35481 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35482 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35483 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35484 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35485 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35486 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35487 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35488 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35489 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35490 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35491 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35492 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35493 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35495 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35496 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35497 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35498 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35499 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35500 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35509 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35510 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)
 * 1:35513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)
 * 1:35516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35522 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35518 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)
 * 1:35517 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)

Modified Rules:


 * 1:35139 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35140 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)

2015-08-11 15:55:16 UTC

Snort Subscriber Rules Update

Date: 2015-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)
 * 1:35474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)
 * 1:35475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35476 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35481 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35482 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35483 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35484 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35485 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35486 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35487 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35488 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35489 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35490 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35491 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35492 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35493 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35495 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35496 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35497 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35498 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35499 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35500 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35509 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35510 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)
 * 1:35514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)
 * 1:35515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35530 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35529 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35526 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35525 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35522 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35517 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)
 * 1:35518 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)

Modified Rules:


 * 1:35139 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35140 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)

2015-08-11 15:55:16 UTC

Snort Subscriber Rules Update

Date: 2015-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35530 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35529 <-> DISABLED <-> FILE-OTHER Microsoft Windows malformed TTF table hmtx remote code execution attempt (file-other.rules)
 * 1:35528 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35527 <-> DISABLED <-> POLICY-OTHER Microsoft cabinet file default sha1 signature detected (policy-other.rules)
 * 1:35526 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35525 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35522 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed document file use after free attempt (file-office.rules)
 * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35518 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)
 * 1:35517 <-> ENABLED <-> FILE-OTHER Microsoft Windows FontView OpenType Font atmfd.dll invalid memory reference attempt (file-other.rules)
 * 1:35516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATFM.DLL malformed OTF use-after-free attempt (os-windows.rules)
 * 1:35514 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)
 * 1:35513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetTextMetricsW TEXTMETRICW kernel mode ASLR bypass attempt (os-windows.rules)
 * 1:35512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word msptls.dll integer underflow attempt (file-office.rules)
 * 1:35510 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35509 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion attempt (browser-ie.rules)
 * 1:35506 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35505 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll use-after-free attempt (file-office.rules)
 * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Word incomplete ActiveX control use-after-free attempt (file-office.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35500 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35499 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules)
 * 1:35498 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35497 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Document invalid directory entry use after free attempt (file-office.rules)
 * 1:35496 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35495 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35493 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35492 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35491 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI DrvQueryFontData function uninitialized glyph data remote code execution attempt (file-other.rules)
 * 1:35490 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35489 <-> ENABLED <-> FILE-OTHER Microsoft Windows OTF file parsing error exploitation attempt (file-other.rules)
 * 1:35488 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35487 <-> ENABLED <-> OS-WINDOWS Windows Notepad remote printer file access attempt (os-windows.rules)
 * 1:35486 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35485 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35484 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35483 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:35482 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35481 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CParaElement use-after-free attempt (browser-ie.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35476 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use after free attempt (browser-ie.rules)
 * 1:35474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)
 * 1:35473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer COrphanedStylesheetArray use-after-free attempt (browser-ie.rules)

Modified Rules:


 * 1:35139 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35140 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox permission bypass registry read attempt (browser-ie.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)