VRT Rules 2014-07-08
The VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS14-037: Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 31380 through 31391.

The VRT has also added and modified multiple rules in the browser-ie, exploit-kit, file-multimedia, file-office, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-07-10 17:51:46 UTC

Sourcefire VRT Rules Update

Date: 2014-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31390 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31391 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31375 <-> DISABLED <-> SERVER-WEBAPP Hp OpenView CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:31373 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (server-webapp.rules)
 * 1:31379 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt (file-office.rules)
 * 1:31374 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt (file-office.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP pslash remote file include attempt (server-webapp.rules)
 * 1:31378 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt (file-office.rules)
 * 1:31389 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt (browser-ie.rules)
 * 1:31382 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt (browser-ie.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31376 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:31388 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt (browser-ie.rules)
 * 1:31384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31386 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt (browser-ie.rules)
 * 1:31387 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt (browser-ie.rules)
 * 1:31383 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt (browser-ie.rules)

Modified Rules:


 * 1:25345 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager Web interface arbitrary command execution attempt (server-webapp.rules)
 * 1:30289 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt (browser-ie.rules)
 * 1:18643 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt (file-office.rules)
 * 1:17591 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules)
 * 1:23266 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:18998 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (server-webapp.rules)
 * 1:21112 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:1807 <-> DISABLED <-> SERVER-WEBAPP Chunked-Encoding transfer attempt (server-webapp.rules)
 * 1:18535 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt (file-office.rules)
 * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:17250 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:17129 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt (browser-ie.rules)
 * 1:18642 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt (file-office.rules)
 * 1:26676 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:28882 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:28881 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:28163 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt (browser-ie.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:23268 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:23267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)

2014-07-10 17:51:46 UTC

Sourcefire VRT Rules Update

Date: 2014-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31391 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31390 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31389 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt (browser-ie.rules)
 * 1:31388 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt (browser-ie.rules)
 * 1:31387 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt (browser-ie.rules)
 * 1:31386 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt (browser-ie.rules)
 * 1:31385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31383 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt (browser-ie.rules)
 * 1:31382 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt (browser-ie.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31379 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt (file-office.rules)
 * 1:31378 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt (file-office.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP pslash remote file include attempt (server-webapp.rules)
 * 1:31376 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:31375 <-> DISABLED <-> SERVER-WEBAPP Hp OpenView CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:31374 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt (file-office.rules)
 * 1:31373 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (server-webapp.rules)

Modified Rules:


 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:17129 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt (browser-ie.rules)
 * 1:17250 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:30289 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt (browser-ie.rules)
 * 1:17591 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:1807 <-> DISABLED <-> SERVER-WEBAPP Chunked-Encoding transfer attempt (server-webapp.rules)
 * 1:18535 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt (file-office.rules)
 * 1:18642 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt (file-office.rules)
 * 1:28882 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:18643 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt (file-office.rules)
 * 1:18998 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (server-webapp.rules)
 * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:21112 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:28881 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules)
 * 1:23266 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:26676 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:28163 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt (browser-ie.rules)
 * 1:25345 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager Web interface arbitrary command execution attempt (server-webapp.rules)
 * 1:23267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:23268 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)

2014-07-10 17:51:46 UTC

Sourcefire VRT Rules Update

Date: 2014-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:31385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31382 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt (browser-ie.rules)
 * 1:31379 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt (file-office.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31377 <-> DISABLED <-> SERVER-WEBAPP pslash remote file include attempt (server-webapp.rules)
 * 1:31375 <-> DISABLED <-> SERVER-WEBAPP Hp OpenView CGI parameter buffer overflow attempt (server-webapp.rules)
 * 1:31376 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:31374 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Qsir and Qsif record remote code execution attempt (file-office.rules)
 * 1:31390 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31391 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31373 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (server-webapp.rules)
 * 1:31378 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt (file-office.rules)
 * 1:31383 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized object use after free attempt (browser-ie.rules)
 * 1:31387 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt (browser-ie.rules)
 * 1:31386 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CLayout object user after free attempt (browser-ie.rules)
 * 1:31388 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt (browser-ie.rules)
 * 1:31389 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer improper object cast memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:23267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:21112 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:23266 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules)
 * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:18998 <-> ENABLED <-> SERVER-WEBAPP HP OpenView NNM ovwebsnmpsrv.exe command line argument buffer overflow attempt (server-webapp.rules)
 * 1:17129 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt (browser-ie.rules)
 * 1:17250 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:17591 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)
 * 1:18643 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTTextFflow overflow attempt (file-office.rules)
 * 1:1807 <-> DISABLED <-> SERVER-WEBAPP Chunked-Encoding transfer attempt (server-webapp.rules)
 * 1:26676 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad sprmTSetBrc SPRM overflow attempt (file-office.rules)
 * 1:18642 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Converter sprmTSplit overflow attempt (file-office.rules)
 * 1:25345 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager Web interface arbitrary command execution attempt (server-webapp.rules)
 * 1:28163 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt (browser-ie.rules)
 * 1:28881 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:28882 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Dictionary Object use after free attempt (browser-ie.rules)
 * 1:30289 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout SmartObject use after free attempt (browser-ie.rules)
 * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules)
 * 1:18535 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word file sprmTSetBrc processing buffer overflow attempt (file-office.rules)
 * 1:23268 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word crafted sprm structure memory corruption attempt (file-office.rules)