Talos Rules 2016-08-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-095: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39810 through 39813, 39820 through 39823, 39826 through 39829, 39833 through 39834, and 39839 through 39840.

Microsoft Security Bulletin MS16-096: A coding deficiency exists in Microsoft Edge that may lead to remove code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 25459 through 25460.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 39810 through 39811, 39822 through 39823, and 39833 through 39834.

Microsoft Security Bulletin MS16-097: A coding deficiency exists in Microsoft Graphics Component that may lead to remove code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39824 through 39825 and 39843 through 39844.

Microsoft Security Bulletin MS16-098: A coding deficiency exists in Microsoft Kernel-Mode drivers that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39808 through 39809, 39814 through 39815, and 39841 through 39842.

Microsoft Security Bulletin MS16-099: A coding deficiency exists in Microsoft Office that may lead to remove code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39816 through 39817, 39831 through 39832, and 39835 through 39838.

Microsoft Security Bulletin MS16-102: A coding deficiency exists in Microsoft Windows PDF library that may lead to remove code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 25459 through 25460.

Talos has added and modified multiple rules in the browser-ie, file-office, file-pdf and os-windows rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-08-09 17:23:30 UTC

Snort Subscriber Rules Update

Date: 2016-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39810 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:39811 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:39809 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt (os-windows.rules)
 * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39841 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt (os-windows.rules)
 * 1:39830 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrypMIC outbound connection detected (malware-other.rules)
 * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39838 <-> ENABLED <-> FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt (file-office.rules)
 * 1:39808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt (os-windows.rules)
 * 1:39813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39814 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt (os-windows.rules)
 * 1:39815 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt (os-windows.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39818 <-> ENABLED <-> OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt (os-windows.rules)
 * 1:39819 <-> ENABLED <-> OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt (os-windows.rules)
 * 1:39820 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt (browser-ie.rules)
 * 1:39821 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt (browser-ie.rules)
 * 1:39822 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt (browser-ie.rules)
 * 1:39823 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt (browser-ie.rules)
 * 1:39824 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:39825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:39826 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39842 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt (os-windows.rules)
 * 1:39827 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39828 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt (browser-ie.rules)
 * 1:39829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt (browser-ie.rules)
 * 1:39831 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:39834 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt (browser-ie.rules)
 * 1:39833 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt (browser-ie.rules)
 * 1:39832 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:39807 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Lethic outbound connection detected (malware-other.rules)
 * 1:39837 <-> ENABLED <-> FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt (file-office.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)

Modified Rules:


 * 1:24154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:24155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)

2016-08-09 17:23:30 UTC

Snort Subscriber Rules Update

Date: 2016-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39811 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:39809 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt (os-windows.rules)
 * 1:39810 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:39808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt (os-windows.rules)
 * 1:39813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39814 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt (os-windows.rules)
 * 1:39815 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt (os-windows.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39818 <-> ENABLED <-> OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt (os-windows.rules)
 * 1:39819 <-> ENABLED <-> OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt (os-windows.rules)
 * 1:39820 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt (browser-ie.rules)
 * 1:39821 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt (browser-ie.rules)
 * 1:39822 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt (browser-ie.rules)
 * 1:39823 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt (browser-ie.rules)
 * 1:39824 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:39825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:39826 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39827 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39828 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt (browser-ie.rules)
 * 1:39829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt (browser-ie.rules)
 * 1:39830 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrypMIC outbound connection detected (malware-other.rules)
 * 1:39831 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:39832 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:39833 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt (browser-ie.rules)
 * 1:39834 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt (browser-ie.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39842 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt (os-windows.rules)
 * 1:39807 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Lethic outbound connection detected (malware-other.rules)
 * 1:39841 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt (os-windows.rules)
 * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39838 <-> ENABLED <-> FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt (file-office.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39837 <-> ENABLED <-> FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt (file-office.rules)

Modified Rules:


 * 1:24154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:24155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)

2016-08-09 17:23:30 UTC

Snort Subscriber Rules Update

Date: 2016-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39842 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt (os-windows.rules)
 * 1:39841 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kbase bOutline out of bounds read attempt (os-windows.rules)
 * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules)
 * 1:39838 <-> ENABLED <-> FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt (file-office.rules)
 * 1:39837 <-> ENABLED <-> FILE-OFFICE Microsoft Office mso.dll out of bounds memory access attempt (file-office.rules)
 * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg memory corruption attempt (file-office.rules)
 * 1:39834 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt (browser-ie.rules)
 * 1:39833 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer InsertSelectDropdown use after free attempt (browser-ie.rules)
 * 1:39832 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:39831 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules)
 * 1:39830 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrypMIC outbound connection detected (malware-other.rules)
 * 1:39829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt (browser-ie.rules)
 * 1:39828 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll cached object use after free attempt (browser-ie.rules)
 * 1:39827 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39826 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:39824 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:39823 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt (browser-ie.rules)
 * 1:39822 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll invalid history state use after free attempt (browser-ie.rules)
 * 1:39821 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt (browser-ie.rules)
 * 1:39820 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe sandbox file name information disclosure attempt (browser-ie.rules)
 * 1:39819 <-> ENABLED <-> OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt (os-windows.rules)
 * 1:39818 <-> ENABLED <-> OS-WINDOWS Microsoft Windows operating system win32kfull heap corruption attempt (os-windows.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39815 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt (os-windows.rules)
 * 1:39814 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32kfull FloodFillWindow privilege escalation attempt (os-windows.rules)
 * 1:39813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:39811 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:39810 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iertutil.dll long UNC redirect out of bounds read attempt (browser-ie.rules)
 * 1:39809 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt (os-windows.rules)
 * 1:39808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics subcomponent local privilege escalation attempt (os-windows.rules)
 * 1:39807 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Lethic outbound connection detected (malware-other.rules)

Modified Rules:


 * 1:24154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:24155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader free text annotation invalid IT value denial of service attempt (file-pdf.rules)
 * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)
 * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules)