VRT Advisories

1 2 118 119 120 122 124 125 126 132 133


VRT Rules 2006-06-15

Sourcefire VRT Update

Date: 2006-06-15

Synopsis:

The Sourcefire VRT has learned of multiple vulnerabilities affecting Microsoft Internet Explorer, Windows Media Player and the Microsoft Operating System.

Details:

Microsoft Security Bulletin MS06-021 Internet Explorer does not correctly handle input to certain ActiveX controls. It is possible for an attacker to supply data of their choosing to the DXImageTransform.Microsoft.Light ActiveX control and execute code on the affected host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6516 through 6519 and 6680 through 6687.

Microsoft Security Bulletin MS06-024 Windows Media Player is vulnerable to a stack based buffer overflow condition that can be exploited by an attacker via a PNG image with a large chunk size.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6688 through 6701.

Microsoft Security Bulletin MS06-025 Microsoft operating systems using Routing and Remote Access (RRAS) are vulnerable to a memory corruption problem that may be exploited by unauthenticated users. This may lead to code of the attackers choosing being run on an affected host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6584 through 6679.

Microsoft Security Bulletin MS06-032 The TCP/IP stack in Microsoft Windows systems is vulnerable to remote code execution. The stack does not correctly process loose and strict source code routing packets which may present an attacker with the opportunity to execute code of their choosing on an affected system.

Rules to detect attacks against this vulnerability are already available and are identified as sids 500 and 502.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

Posted by on Jun 15, 2006



VRT Rules 2006-06-13

Sourcefire VRT Update

Date: 2006-06-13

Synopsis:

The Sourcefire VRT has learned of multiple vulnerabilites affecting Microsoft Internet Explorer, Apple Quicktime, Novell eDirectory, Sophos Anti-Virus and Symantec Anti-Virus products.

Details:

Microsoft Internet Explorer contains a programming error in the way that it processes MIME HTML links (mhtml) which are commonly embedded in HTML email. The error in processing the links may allow a remote attacker to overflow a fixed length buffer and execute code of their choosing on the target system.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6509 and 6510.

Apple Quicktime fails to properly check user supplied data which may allow a remote attacker to overflow a fixed length buffer and execute code of their choosing on the target host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6505 and 6506.

Novell eDirectory Server contains a vulnerability that may allow an attacker to overflow a fixed length buffer and execute code of their choosing on an affected server. The vulnerability exists in the iMonitor NDS server and may be exploited via a specially crafted uri to the service.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 6507.

Sophos Anti-Virus fails to properly process Microsoft CAB files. A remote attacker may be able to leverage this vulnerability to execute code of their choosing on the target host or cause a denial of service (DoS) against the Sophos Anti-Virus process.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 6504.

Symantec Anti-Virus Real-Time Scan Service suffers from a programming error that may allow a remote attacker to execute code of their choosing on an affected host.

A rule to detect attacks against this vulnerability is included in this rule pack and is identified as sid 6512.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on Jun 13, 2006



VRT Rules 2006-06-05

Snort 2.4.5 and 2.6.0 Final

Date: 2006-06-05

The Snort Team is pleased to announce the release of Snort 2.4.5 and Snort 2.6.0 Final.

The Snort Team would like to thank all those who tested the Snort 2.6 release candidates and provided valuable feedback and bug reports. Snort 2.6 is the way of the future for Snort development and its release signifies the end of life for development on the Snort 2.4 branch.

These releases have better performance, numerous new features and incorporate many bug fixes. Notable bug fixes and improvements include:

  • Tcp stream properly reassembled after failed sequence check which may lead to possible detection evasion.
  • Added configurable stream flushpoints.
  • Improved rpc processing.
  • Improved portscan detection.
  • Improved http request processing and handling of possible evasion cases.
  • Improved performance monitoring.

The Snort 2.6 release also introduces the ability to use dynamic rules and dynamic preprocessors and contains further improvements to the Snort detection engine.

Sourcefire would like to thank Erik Kamerling of the SANS Attack Attribution Research Group, Sid Faber from CERT and Chris Ries from Vigilant minds for reporting the issue with stream reassembly and the possible evasion cases.

The Snort Team is continuing its work on investigating the issues with the http_inspect evasion and will release further updates to the detection preprocessor as they become available.

Note:
With the release of Snort v2.6.0, we are moving to a new versioning system for all future releases. This new system is designed to enable more frequent bug and feature releases, while still meeting the needs of Snort enterprise users. The following is a description:

  • X. - Major snort product change
  • X.X - Major new feature set
  • X.X.X - Minor feature enhancements and bug fixes
  • X.X.X.X - Bug fixes only

For example. a bug fix to Snort 2.6.0 would increment the version to be Snort 2.6.0.1 while a minor feature enhancement would increment the version to be 2.6.1.

Posted by on Jun 05, 2006



VRT Rules 2006-05-26

Sourcefire VRT Update

Date: 2006-05-24

Synopsis:

The Sourcefire VRT has learned of vulnerabilities affecting hosts using RealVNC.

Details:

RealVNC is a multiplatform remote administration tool that allows networked hosts to connect to other hosts or mobile devices. It has a client-server architecture that requires the remote user to authenticate on connection to a RealVNC server.

A programming error in the authentication mechanism for RealVNC may allow an attacker to gain access to the host without supplying the correct credentials.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6469 through 6471.

In response to continued feedback regarding the spyware-put rules, the Sourcefire VRT is continuing to improve coverage provided by these rules and the accuracy of detection. This rulepack contains modifications to this set of rules.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on May 26, 2006



VRT Rules 2006-05-24

Sourcefire VRT Update

Date: 2006-05-24

Synopsis:

The Sourcefire VRT has learned of vulnerabilities affecting hosts using RealVNC.

Details:

RealVNC is a multiplatform remote administration tool that allows networked hosts to connect to other hosts or mobile devices. It has a client-server architecture that requires the remote user to authenticate on connection to a RealVNC server.

A programming error in the authentication mechanism for RealVNC may allow an attacker to gain access to the host without supplying the correct credentials.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6469 through 6471.

In response to continued feedback regarding the spyware-put rules, the Sourcefire VRT is continuing to improve coverage provided by these rules and the accuracy of detection. This rulepack contains modifications to this set of rules.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

Posted by on May 24, 2006



1 2 118 119 120 122 124 125 126 132 133