VRT Advisories


VRT Rules 2005-04-12

Sourcefire VRT Certified Rule Update

Date: 2005-04-12

Synopsis:

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Microsoft Internet Explorer and the Microsoft Windows operating system.

Details:

Dynamic HTML extends static HTML pages to allow interactive web pages to be easily created. A flaw in the Microsoft Internet Explorer DHTML Engine may allow an attacker to exploit a race condition and possibly execute code of their choosing on the victim host with the privileges of the user running Internet Explorer.

Internet Explorer allows various DHTML objects to be used via Javascript. Poor memory management in the object handling code of Internet Explorer may allow an attacker to overwrite portions of memory and execute code of their choosing on a vulnerable host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3549 and 3553.

A programming error in Microsoft Internet Explorer may allow an attacker to execute code of their choosing on a vulnerable host. Specifically, the error lies in the handling of hostnames longer than 256 characters. When IE tries to process a hostname of this length or longer, the process may crash or cause the application to become unstable, presenting the attacker with an opportunity to execute code of their choosing on an affected system.

A Rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 3550.

Microsoft Windows has design errors that may enable an attacker to execute code of their choosing on a vulnerable system. Specifically, it is possible to execute code from objects not marked as executable.

Microsoft OLE2 allows objects to be executed by integrating applications. The Class ID (CLSID) of an object allows objects to be loaded by multiple applications. This CLSID is embedded in the object and may be manipulated by an attacker to force an application into executing code of the attackers choosing.

Specifically, the CLSID can be made to point at the Microsoft HTML Application Host (MSHTA). MSHTA.EXE will process each line of a file and execute any script code it finds.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 3551 and 3552.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.