Rule Category

BROWSER-PLUGINS -- Snort has detected suspicious browser plugin traffic, likely targeting the ActiveX plugin in Internet Explorer, though this could apply to any browser. Attackers have refined techniques to smuggle extensions into the Chrome Web Store, which they can then modify remotely once downloaded to add or activate malicious or spyware features. This can be similar to a Potentially Unwanted Application, as valuable data and network access is often allowed on a phone or browser without proper investigation. Some extensions also mimic more well-known and trusted ones (AdBlock, etc.)

Alert Message

BROWSER-PLUGINS Outlook.Application ActiveX clsid access

Rule Explanation

This event is generated when an attempt is made to return to a web client a file with a Class ID (CLSID) embedded in the file. Impact: A successful attack may result in the execution of code of the attackers choosing possibly leading to control of the target machine. Details: Internet Explorer does not correctly handle ActiveX controls. Certain COM objects can be called by Internet Explorer and executed as ActiveX controls. When this is achieved, it may be possible for an attacker to overwrite portions of memory and execute code of their choosing. There are multiple CLSIDs associated with a COM component that could be used for malicious purposes. This event is generated when the CLSID for Outlook.Application is detected in data being returned to a client system from a server. These access rules alert on attempts to access certain CLSIDs that could potentially be used to exploit ActiveX based vulnerabilities. These CLSIDS fall into one of the following categories. 1. Microsoft has deprecated the CSLID and has suggested to all web developrs that this CLSID no longer be used. 2. Microsoft has disabled the CLSID and it can no longer be used to actually execute an ActiveX object. 3. The CLSID is a known bad CLSID and has been removed from updated versions of the application that use this ActiveX object. 4. The ActiveX object is not safe for scripting and could be vulnerable to a security issue that may result in a buffer overflow or loss of system functionality. This event indicates that the identifier for the component Outlook.Application was detected. Ease of Attack: Simple. Exploit code is publicly available.

What To Look For

No information provided

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Alex Kirk Nigel Houghton

Rule Groups

No rule groups

CVE

None

Additional Links

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None