Talos Rules 2017-09-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-8682: A coding deficiency exists in Microsoft Win32k Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44335 through 44336.

Microsoft Vulnerability CVE-2017-8728: A coding deficiency exists in Microsoft PDF that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42285 through 42286 and 42311 through 42312.

Microsoft Vulnerability CVE-2017-8731: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44331 through 44332.

Microsoft Vulnerability CVE-2017-8734: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44340 through 44341.

Microsoft Vulnerability CVE-2017-8737: A coding deficiency exists in Microsoft PDF that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42285 through 42286 and 42311 through 42312.

Microsoft Vulnerability CVE-2017-8738: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44333 through 44334.

Microsoft Vulnerability CVE-2017-8747: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44356 through 44357.

Microsoft Vulnerability CVE-2017-8749: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44349 through 44350.

Microsoft Vulnerability CVE-2017-8750: Microsoft browsers suffer from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44342 through 44343.

Microsoft Vulnerability CVE-2017-8753: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-8757: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44338 through 44339.

Microsoft Vulnerability CVE-2017-8759: A coding deficiency exists in the Microsoft .NET Framework that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44353 through 44354.

Talos also has added and modified multiple rules in the browser-ie, file-flash, file-image, file-other, file-pdf, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-09-12 17:50:07 UTC

Snort Subscriber Rules Update

Date: 2017-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44357 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt (browser-ie.rules)
 * 1:44356 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt (browser-ie.rules)
 * 1:44355 <-> DISABLED <-> FILE-IMAGE Free Opener malformed JPEG file buffer overflow attempt (file-image.rules)
 * 1:44354 <-> DISABLED <-> FILE-OTHER WSDL soap endpoint location code injection attempt (file-other.rules)
 * 1:44353 <-> DISABLED <-> FILE-OTHER WSDL soap endpoint location code injection attempt (file-other.rules)
 * 1:44352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player text handling memory corruption attempt (file-flash.rules)
 * 1:44351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player text handling memory corruption attempt (file-flash.rules)
 * 1:44350 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:44349 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:44348 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44343 <-> ENABLED <-> BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt (browser-ie.rules)
 * 1:44342 <-> ENABLED <-> BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt (browser-ie.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:44339 <-> ENABLED <-> BROWSER-IE Microsoft Edge denial of service attempt (browser-ie.rules)
 * 1:44338 <-> ENABLED <-> BROWSER-IE Microsoft Edge denial of service attempt (browser-ie.rules)
 * 1:44337 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman RestoreDBase opcode command injection attempt (server-other.rules)
 * 1:44336 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt (os-windows.rules)
 * 1:44335 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt (os-windows.rules)
 * 1:44334 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:44333 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)

Modified Rules:


 * 1:42285 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:44013 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt (file-pdf.rules)
 * 1:44014 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt (file-pdf.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)

2017-09-12 17:50:07 UTC

Snort Subscriber Rules Update

Date: 2017-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44355 <-> DISABLED <-> FILE-IMAGE Free Opener malformed JPEG file buffer overflow attempt (file-image.rules)
 * 1:44337 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman RestoreDBase opcode command injection attempt (server-other.rules)
 * 1:44335 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt (os-windows.rules)
 * 1:44336 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt (os-windows.rules)
 * 1:44339 <-> ENABLED <-> BROWSER-IE Microsoft Edge denial of service attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:44342 <-> ENABLED <-> BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt (browser-ie.rules)
 * 1:44343 <-> ENABLED <-> BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt (browser-ie.rules)
 * 1:44345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44348 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44349 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:44350 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:44351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player text handling memory corruption attempt (file-flash.rules)
 * 1:44357 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt (browser-ie.rules)
 * 1:44356 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt (browser-ie.rules)
 * 1:44338 <-> ENABLED <-> BROWSER-IE Microsoft Edge denial of service attempt (browser-ie.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:44333 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:44353 <-> DISABLED <-> FILE-OTHER WSDL soap endpoint location code injection attempt (file-other.rules)
 * 1:44354 <-> DISABLED <-> FILE-OTHER WSDL soap endpoint location code injection attempt (file-other.rules)
 * 1:44352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player text handling memory corruption attempt (file-flash.rules)
 * 1:44334 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)

Modified Rules:


 * 1:44013 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt (file-pdf.rules)
 * 1:44014 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt (file-pdf.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)

2017-09-12 17:50:07 UTC

Snort Subscriber Rules Update

Date: 2017-09-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44354 <-> DISABLED <-> FILE-OTHER WSDL soap endpoint location code injection attempt (file-other.rules)
 * 1:44339 <-> ENABLED <-> BROWSER-IE Microsoft Edge denial of service attempt (browser-ie.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:44337 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman RestoreDBase opcode command injection attempt (server-other.rules)
 * 1:44334 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:44335 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt (os-windows.rules)
 * 1:44336 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys TrueType font out of bounds write attempt (os-windows.rules)
 * 1:44357 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt (browser-ie.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:44333 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:44345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44342 <-> ENABLED <-> BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt (browser-ie.rules)
 * 1:44343 <-> ENABLED <-> BROWSER-IE Internet Explorer WeakMap Freeze memory corruption attempt (browser-ie.rules)
 * 1:44338 <-> ENABLED <-> BROWSER-IE Microsoft Edge denial of service attempt (browser-ie.rules)
 * 1:44346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44348 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MP4 atom parser memory corruption attempt (file-flash.rules)
 * 1:44349 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:44350 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:44351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player text handling memory corruption attempt (file-flash.rules)
 * 1:44352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player text handling memory corruption attempt (file-flash.rules)
 * 1:44353 <-> DISABLED <-> FILE-OTHER WSDL soap endpoint location code injection attempt (file-other.rules)
 * 1:44355 <-> DISABLED <-> FILE-IMAGE Free Opener malformed JPEG file buffer overflow attempt (file-image.rules)
 * 1:44356 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS padding property memory corruption attempt (browser-ie.rules)
 * 3:44344 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0439 attack attempt (server-other.rules)

Modified Rules:


 * 1:42286 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:44013 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt (file-pdf.rules)
 * 1:44014 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader exportAsXFAStr use after free attempt (file-pdf.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)