Talos Rules 2016-12-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-144: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40940 through 40941, 40969 through 40970, 40975 through 40976, 40986 through 40989, and 40992 through 40993.

Microsoft Security Bulletin MS16-145: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 36452 and 39242 through 39243.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 40946, 40949 through 40950, 40969 through 40976, and 40986 through 40987.

Microsoft Security Bulletin MS16-146: A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40967 through 40968 and 40982 through 40983.

Microsoft Security Bulletin MS16-147: A coding deficiency exists in Microsoft Uniscribe that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40942 through 40943.

Microsoft Security Bulletin MS16-148: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40938 through 40939, 40944 through 40945, 40951 through 40952, 40957 through 40966, and 40977 through 40978.

Microsoft Security Bulletin MS16-149: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40953 through 40956 and 40984 through 40985.

Microsoft Security Bulletin MS16-151: A coding deficiency exists in a Microsoft Kernel-Mode driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40947 through 40948 and 40990.

Microsoft Security Bulletin MS16-153: A coding deficiency exists in Microsoft Common Log File System Driver that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40936 through 40937.

Talos has also added and modified multiple rules in the browser-ie, file-executable, file-identify, file-office, file-other, file-pdf and os-windows rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-12-13 19:20:58 UTC

Snort Subscriber Rules Update

Date: 2016-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40979 <-> ENABLED <-> FILE-IDENTIFY ico file download request (file-identify.rules)
 * 1:40977 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel insecure workbook load via reference to named share attempt (file-office.rules)
 * 1:40978 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel insecure workbook load via reference to named share attempt (file-office.rules)
 * 1:40975 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe information disclosure attempt (browser-ie.rules)
 * 1:40976 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe information disclosure attempt (browser-ie.rules)
 * 1:40973 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40974 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40972 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40971 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40969 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:40970 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:40967 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint WMF conversion information disclosure attempt (file-office.rules)
 * 1:40968 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint WMF conversion information disclosure attempt (file-office.rules)
 * 1:40965 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher out of bounds read attempt (file-office.rules)
 * 1:40966 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher out of bounds read attempt (file-office.rules)
 * 1:40963 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel type confusion attempt (file-office.rules)
 * 1:40964 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel type confusion attempt (file-office.rules)
 * 1:40961 <-> DISABLED <-> FILE-OTHER Microsoft Office OLE DLL side load attempt (file-other.rules)
 * 1:40962 <-> ENABLED <-> FILE-OTHER Microsoft Office OLE DLL side load attempt (file-other.rules)
 * 1:40959 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ddeService command execution attempt (file-office.rules)
 * 1:40960 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ddeService command execution attempt (file-office.rules)
 * 1:40957 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel security descriptor out of bounds read attempt (file-office.rules)
 * 1:40958 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel security descriptor out of bounds read attempt (file-office.rules)
 * 1:40955 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40956 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40953 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40954 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40951 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word XST structure out of bounds read attempt (file-office.rules)
 * 1:40952 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word XST structure out of bounds read attempt (file-office.rules)
 * 1:40949 <-> ENABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40950 <-> ENABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40947 <-> ENABLED <-> OS-WINDOWS Microsoft Windows StripSolidHorizontal out of bounds memory access attempt (os-windows.rules)
 * 1:40948 <-> ENABLED <-> OS-WINDOWS Microsoft Windows StripSolidHorizontal out of bounds memory access attempt (os-windows.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40946 <-> DISABLED <-> BROWSER-IE Microsoft Edge CSS browser history disclosure attempt (browser-ie.rules)
 * 1:40943 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:40942 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40937 <-> ENABLED <-> FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt (file-executable.rules)
 * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:40939 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint OpenType font overly large instructionLength out of bounds read attempt (file-office.rules)
 * 1:40938 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint OpenType font overly large instructionLength out of bounds read attempt (file-office.rules)
 * 1:40936 <-> ENABLED <-> FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt (file-executable.rules)
 * 1:40993 <-> DISABLED <-> BROWSER-IE Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:40992 <-> DISABLED <-> BROWSER-IE Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:40990 <-> DISABLED <-> OS-WINDOWS empty PostScript Type 1 font pfb file null dereference attempt (os-windows.rules)
 * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:40987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MSIEXEC privilege escalation attempt (os-windows.rules)
 * 1:40983 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40982 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MSIEXEC privilege escalation attempt (os-windows.rules)
 * 1:40980 <-> ENABLED <-> FILE-IDENTIFY ico file attachment detected (file-identify.rules)
 * 1:40981 <-> ENABLED <-> FILE-IDENTIFY ico file attachment detected (file-identify.rules)

Modified Rules:


 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:39242 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:40774 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0198 attack attempt (file-pdf.rules)

2016-12-13 19:20:58 UTC

Snort Subscriber Rules Update

Date: 2016-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40993 <-> DISABLED <-> BROWSER-IE Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:40992 <-> DISABLED <-> BROWSER-IE Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules)
 * 1:40990 <-> DISABLED <-> OS-WINDOWS empty PostScript Type 1 font pfb file null dereference attempt (os-windows.rules)
 * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:40987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MSIEXEC privilege escalation attempt (os-windows.rules)
 * 1:40984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MSIEXEC privilege escalation attempt (os-windows.rules)
 * 1:40983 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40982 <-> ENABLED <-> FILE-OTHER Microsoft Internet Explorer malformed ico integer overflow attempt (file-other.rules)
 * 1:40981 <-> ENABLED <-> FILE-IDENTIFY ico file attachment detected (file-identify.rules)
 * 1:40980 <-> ENABLED <-> FILE-IDENTIFY ico file attachment detected (file-identify.rules)
 * 1:40979 <-> ENABLED <-> FILE-IDENTIFY ico file download request (file-identify.rules)
 * 1:40978 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel insecure workbook load via reference to named share attempt (file-office.rules)
 * 1:40977 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel insecure workbook load via reference to named share attempt (file-office.rules)
 * 1:40976 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe information disclosure attempt (browser-ie.rules)
 * 1:40975 <-> ENABLED <-> BROWSER-IE Microsoft Edge iframe information disclosure attempt (browser-ie.rules)
 * 1:40974 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40973 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40972 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40971 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40970 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:40969 <-> DISABLED <-> BROWSER-IE Microsoft Edge Object.defineProperty type confusion attempt (browser-ie.rules)
 * 1:40968 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint WMF conversion information disclosure attempt (file-office.rules)
 * 1:40967 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint WMF conversion information disclosure attempt (file-office.rules)
 * 1:40966 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher out of bounds read attempt (file-office.rules)
 * 1:40965 <-> ENABLED <-> FILE-OFFICE Microsoft Office Publisher out of bounds read attempt (file-office.rules)
 * 1:40964 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel type confusion attempt (file-office.rules)
 * 1:40963 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel type confusion attempt (file-office.rules)
 * 1:40962 <-> ENABLED <-> FILE-OTHER Microsoft Office OLE DLL side load attempt (file-other.rules)
 * 1:40961 <-> DISABLED <-> FILE-OTHER Microsoft Office OLE DLL side load attempt (file-other.rules)
 * 1:40960 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ddeService command execution attempt (file-office.rules)
 * 1:40959 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ddeService command execution attempt (file-office.rules)
 * 1:40958 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel security descriptor out of bounds read attempt (file-office.rules)
 * 1:40957 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel security descriptor out of bounds read attempt (file-office.rules)
 * 1:40956 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40955 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40954 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40953 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ksecdd.sys kernel information disclosure attempt (os-windows.rules)
 * 1:40952 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word XST structure out of bounds read attempt (file-office.rules)
 * 1:40951 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word XST structure out of bounds read attempt (file-office.rules)
 * 1:40950 <-> ENABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40949 <-> ENABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40948 <-> ENABLED <-> OS-WINDOWS Microsoft Windows StripSolidHorizontal out of bounds memory access attempt (os-windows.rules)
 * 1:40947 <-> ENABLED <-> OS-WINDOWS Microsoft Windows StripSolidHorizontal out of bounds memory access attempt (os-windows.rules)
 * 1:40946 <-> DISABLED <-> BROWSER-IE Microsoft Edge CSS browser history disclosure attempt (browser-ie.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40943 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40942 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:40939 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint OpenType font overly large instructionLength out of bounds read attempt (file-office.rules)
 * 1:40938 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint OpenType font overly large instructionLength out of bounds read attempt (file-office.rules)
 * 1:40937 <-> ENABLED <-> FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt (file-executable.rules)
 * 1:40936 <-> ENABLED <-> FILE-EXECUTABLE Microsoft CLFS.sys information leak attempt (file-executable.rules)

Modified Rules:


 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:39242 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:40774 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0198 attack attempt (file-pdf.rules)