VRT Advisories


January 2000 Archive

Advisory

VRT Advisory - 2010-06-22 http://www.snort.org/rules/advisories/advisory.xml en 2010-06-22 MS10-030, MS10-031 http://www.snort.org/vrt/advisories/vrt-rules-2010-06-22.html

This release adds and modifies rules in several categories.

view advisory | view changelog

Posted by on Jan 01, 2000



Ie Issue Js V2

The Sourcefire Vulnerability Research Team (VRT) has learned of two vulnerabilities in Microsoft Internet Explorer that have been released and currently remain unpatched. The following analysis provides detailed analysis from VRT testing as well as suggested rules to detect recent exploits. Vulnerability Overview: 1. Bugtraq ID 17131 - Microsoft Internet Explorer Script Action Handler Buffer Overflow Vulnerability 2. Bugtraq ID 17196 - Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability VRT Analysis: The VRT has conducted extensive research into how these vulnerabilities work and how to detect the current exploits that have been released. These rules may also detect future variants. Currently our research into Bugtraq 17131 shows that roughly 100 of these action handlers are required in a single tag to trigger the vulnerability. It can be any combination of these action handlers as long as it is roughly 100 of them in the same tag. Additionally, research into Bugtraq 17196 shows that this vulnerability is triggered by the use of the createTextRange function in an inappropriate object or HTML tag that will be parsed by Internet Explorer. This vulnerability relies solely on the usage of this function in conjunction with objects that do not support it. Detection: The nature of these vulnerabilities is such that the generic vulnerability detection required for VRT Certified Rules is not practical, however, the VRT has released the following rules to the Community ruleset as well as explanations of the limitations of each. For Bugtraq ID 17131: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT Internet Explorer intrinsic event heap overflow attempt"; flow:established; content:"on"; nocase; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; pcre:"on(afterupdate|(db)?click|help|key(up|down|press)|mouse(up|down|move|o(ut|ver))|(drag|select)start|r(owe(xit|nter)|eadystatechange))/iR"; reference:bugtraq,17131; sid:100000238; rev:1;) NOTE: This rule is very performance intensive as the pcre is recursive in nature and requires inspecting large HTML sessions. For Bugtraq ID 17196: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY WEB-CLIENT IE createTextRange overflow attempt"; flow:to_client,established; content:".createTextRange"; nocase; classtype:attempted-user; reference:bugtraq,17196; reference:cve,2006-1359; sid:100000239; rev:1;) NOTE: This rule is a generic content match as the exploitation vectors are too varied to be more specific. This means the rule potentially has a very high noise to signal ratio. Numerous commonly used web sites use this function in a non-malicious manner and browsing these sites may cause this rule to generate events. Care should be taken while analyzing events generated from this rule. These rules are available in the Community Ruleset at http://www.snort.org/pub-bin/downloads.cgi#COMM. Conclusion: Effective detection of these web client vulnerabilities requires extensive parsing of the HTML DOM tree for each and every web page visited by a client. This detection is best handled by local system software that can perform the inspection in the context of the browser.

Posted by on Jan 01, 2000



Index

VRT Certified Rule Advisories

VRT Home » Advisories

2010


JuneMayApril
2010-04-06
view advisory
view changelog
2010-04-08
view advisory
view changelog
2010-04-13
view advisory
view changelog
2010-04-15
view advisory
view changelog
MarchFebruaryJanuary
2010-03-04
view advisory
view changelog
2010-03-09
view advisory
view changelog
2010-03-10
view advisory
view changelog
2010-03-17
view advisory
view changelog
2010-03-23
view advisory
view changelog
2010-03-30
view advisory
view changelog
2010-02-09
view advisory
view changelog
2010-02-17
view advisory
view changelog
2010-02-23
view advisory
view changelog
2010-02-25
view advisory
view changelog
2010-02-26
view advisory
view changelog
2010-01-06
view advisory
view changelog
2010-01-12
view advisory
view changelog
2010-01-15
view advisory
view changelog
2010-01-19
view advisory
view changelog
2010-01-21
view advisory
view changelog
2010-01-26
view advisory
view changelog
2010-01-28
view advisory
view changelog



2009


DecemberNovemberOctober
2009-12-08
view advisory
view changelog
2009-12-15
view advisory
view changelog
2009-12-17
view advisory
view changelog
2009-12-23
view advisory
view changelog
2009-11-03
view advisory
view changelog
2009-11-10
view advisory
view changelog
2009-11-13
view advisory
view changelog
2009-11-18
view advisory
view changelog
2009-11-23
view advisory
view changelog
2009-11-25
view advisory
view changelog
2009-10-06
view advisory
view changelog
2009-10-08
view advisory
view changelog
2009-10-13
view advisory
view changelog
2009-10-20
view advisory
view changelog
2009-10-22
view advisory
view changelog
SeptemberAugustJuly
2009-09-01
view advisory
view changelog
2009-09-08
view advisory
view changelog
2009-09-09
view advisory
view changelog
2009-09-15
view advisory
view changelog
2009-09-17
view advisory
view changelog
2009-09-21
view advisory
view changelog
2009-09-28
view advisory
view changelog
2009-08-11
view advisory
view changelog
2009-08-18
view advisory
view changelog
2009-08-25
view advisory
view changelog
2009-07-01
view advisory
view changelog
2009-07-07
view advisory
view changelog
2009-07-14
view advisory
view changelog
2009-07-15
view advisory
view changelog
2009-07-16
view advisory
view changelog
2009-07-21
view advisory
view changelog
2009-07-22
view advisory
view changelog
2009-07-28
view advisory
view changelog
2009-07-29
view advisory
view changelog
JuneMayApril
2009-06-09
view advisory
view changelog
2009-06-12
view advisory
view changelog
2009-06-16
view advisory
view changelog
2009-06-22
view advisory
view changelog
2009-05-05
view advisory
view changelog
2009-05-12
view advisory
view changelog
2009-05-18
view advisory
view changelog
2009-05-26
view advisory
view changelog
2009-05-29
view advisory
view changelog
2009-04-08
view advisory
view changelog
2009-04-10
view advisory
view changelog
2009-04-14
view advisory
view changelog
2009-04-21
view advisory
view changelog
MarchFebruaryJanuary
2009-03-03
view advisory
view changelog
2009-03-10
view advisory
view changelog
2009-03-17
view advisory
view changelog
2009-03-27
view advisory
view changelog
2009-03-31
view advisory
view changelog
2009-02-03
view advisory
view changelog
2009-02-10
view advisory
view changelog
2009-02-20
view advisory
view changelog
2009-02-24
view advisory
view changelog
2009-02-27
view advisory
view changelog
2009-01-06
view advisory
view changelog
2009-01-13
view advisory
view changelog
2009-01-20
view advisory
view changelog
2009-01-27
view advisory
view changelog



2008


DecemberNovemberOctober
2008-12-09
view advisory
view changelog
2008-12-11
view advisory
view changelog
2008-12-16
view advisory
view changelog
2008-12-23
view advisory
view changelog
2008-11-04
view advisory
view changelog
2008-11-11
view advisory
view changelog
2008-11-18
view advisory
view changelog
2008-10-06
view advisory
view changelog
2008-10-14
view advisory
view changelog
2008-10-20
view advisory
view changelog
2008-10-23
view advisory
view changelog
2008-10-28
view advisory
view changelog
SeptemberAugustJuly
2008-09-09
view advisory
view changelog
2008-09-18
view advisory
view changelog
2008-09-24
view advisory
view changelog
2008-08-12
view advisory
view changelog
2008-08-19
view advisory
view changelog
2008-08-26
view advisory
view changelog
2008-07-01
view advisory
view changelog
2008-07-08
view advisory
view changelog
2008-07-09
view advisory
view changelog
2008-07-11
view advisory
view changelog
2008-07-15
view advisory
view changelog
2008-07-22
view advisory
view changelog
2008-07-29
view advisory
view changelog
JuneMayApril
2008-06-05
view advisory
view changelog
2008-06-10
view advisory
view changelog
2008-06-24
view advisory
view changelog
2008-05-13
view advisory
view changelog
2008-05-19
view advisory
view changelog
2008-05-27
view advisory
view changelog
2008-05-29
view advisory
view changelog
2008-04-02
view advisory
view changelog
2008-04-08
view advisory
view changelog
2008-04-22
view advisory
view changelog
2008-04-30
view advisory
view changelog
MarchFebruaryJanuary
2008-03-04
view advisory
view changelog
2008-03-06
view advisory
view changelog
2008-03-11
view advisory
view changelog
2008-03-24
view advisory
view changelog
2008-02-05
view advisory
view changelog
2008-02-12
view advisory
view changelog
2008-02-20
view advisory
view changelog
2008-02-26
view advisory
view changelog
2008-01-08
view advisory
view changelog
2008-01-10
view advisory
view changelog
2008-01-23
view advisory
view changelog
2008-01-29
view advisory
view changelog



2007


DecemberNovemberOctober
2007-12-04
view advisory
view changelog
2007-12-11
view advisory
view changelog
2007-12-18
view advisory
view changelog
2007-11-06
view advisory
view changelog
2007-11-13
view advisory
view changelog
2007-11-28
view advisory
view changelog
2007-10-02
view advisory
view changelog
2007-10-09
view advisory
view changelog
2007-10-16
view advisory
view changelog
2007-10-23
view advisory
view changelog
2007-10-26
view advisory
view changelog
SeptemberAugustJuly
2007-09-04
view advisory
view changelog
2007-09-11
view advisory
view changelog
2007-09-17
view advisory
view changelog
2007-09-25
view advisory
view changelog
2007-08-01
view advisory
view changelog
2007-08-07
view advisory
view changelog
2007-08-14
view advisory
view changelog
2007-08-21
view advisory
view changelog
2007-08-28
view advisory
view changelog
2007-07-03
view advisory
view changelog
2007-07-10
view advisory
view changelog
2007-07-12
view advisory
view changelog
2007-07-24
view advisory
view changelog
2007-07-31
view advisory
view changelog
JuneMayApril
2007-06-11
view advisory
view changelog
2007-06-12
view advisory
view changelog
2007-06-13
view advisory
view changelog
2007-06-19
view advisory
view changelog
2007-06-26
view advisory
view changelog
2007-05-08
view advisory
view changelog
2007-05-14
view advisory
view changelog
2007-05-16
view advisory
view changelog
2007-05-18
view advisory
view changelog
2007-05-24
view advisory
view changelog
2007-04-03
view advisory
view changelog
2007-04-10
view advisory
view changelog
2007-04-13
view advisory
view changelog
2007-04-16
view advisory
view changelog
2007-04-17
view advisory
view changelog
2007-04-26
view advisory
view changelog
MarchFebruaryJanuary
2007-03-08
view advisory
view changelog
2007-03-22
view advisory
view changelog
2007-03-30
view advisory
view changelog
2007-02-01
view advisory
view changelog
2007-02-09
view advisory
view changelog
2007-02-12
view advisory
view changelog
2007-02-13
view advisory
view changelog
2007-02-17
view advisory
view changelog
2007-02-20
view advisory
view changelog
2007-02-21
view advisory
view changelog
2007-01-04
view advisory
view changelog
2007-01-09
view advisory
view changelog
2007-01-10
view advisory
view changelog
2007-01-22
view advisory
view changelog



2006


DecemberNovemberOctober
2006-12-07
view advisory
view changelog
2006-12-12
view advisory
view changelog
2006-12-15
view advisory
view changelog
2006-11-06
view advisory
view changelog
2006-11-14
view advisory
view changelog
2006-11-16
view advisory
view changelog
2006-10-02
view advisory
view changelog
2006-10-03
view advisory
view changelog
2006-10-04
view advisory
view changelog
2006-10-10
view advisory
view changelog
2006-10-11
view advisory
view changelog
2006-10-18
view advisory
view changelog
SeptemberAugustJuly
2006-09-01
view advisory
view changelog
2006-09-12
view advisory
view changelog
2006-09-15
view advisory
view changelog
2006-09-19
view advisory
view changelog
2006-09-20
view advisory
view changelog
2006-09-21
view advisory
view changelog
2006-08-02
view advisory
view changelog
2006-08-09
view advisory
view changelog
2006-08-11
view advisory
view changelog
2006-08-22
view advisory
view changelog
2006-07-06
view advisory
view changelog
2006-07-13
view advisory
view changelog
2006-07-18
view advisory
view changelog
2006-07-20
view advisory
view changelog
2006-07-28
view advisory
view changelog
JuneMayApril
2006-06-05
view advisory
view changelog
2006-06-13
view advisory
view changelog
2006-06-15
view advisory
view changelog
2006-06-27
view advisory
view changelog
2006-06-28
view advisory
view changelog
2006-05-05
view advisory
view changelog
2006-05-10
view advisory
view changelog
2006-05-24
view advisory
view changelog
2006-05-26
view advisory
view changelog
2006-04-12
view advisory
view changelog
2006-04-25
view advisory
view changelog
MarchFebruaryJanuary
2006-03-08
view advisory
view changelog
2006-03-29
view advisory
view changelog
2006-02-15
view advisory
view changelog
2006-02-17
view advisory
view changelog
2006-02-23
view advisory
view changelog
2006-02-24
view advisory
view changelog
2006-02-25
view advisory
view changelog
2006-01-05
view advisory
view changelog
2006-01-25
view advisory
view changelog
2006-01-27
view advisory
view changelog



2005


DecemberNovemberOctober
2005-12-01
view advisory
view changelog
2005-12-08
view advisory
view changelog
2005-12-14
view advisory
view changelog
2005-12-30
view advisory
view changelog
2005-11-08
view advisory
view changelog
2005-11-09
view advisory
view changelog
2005-11-17
view advisory
view changelog
2005-11-22
view advisory
view changelog
2005-10-12
view advisory
view changelog
2005-10-25
view advisory
view changelog
SeptemberAugustJuly
2005-09-19
view advisory
view changelog
2005-09-26
view advisory
view changelog
2005-09-27
view advisory
view changelog
2005-08-12
view advisory
view changelog
2005-08-14
view advisory
view changelog
2005-08-18
view advisory
view changelog
2005-07-08
view advisory
view changelog
2005-07-22
view advisory
view changelog
JuneMayApril
2005-06-15
view advisory
view changelog
2005-06-29
view advisory
view changelog
2005-06-30
view advisory
view changelog
2005-05-04
view advisory
view changelog
2005-05-18
view advisory
view changelog
2005-05-31
view advisory
view changelog
2005-04-05
view advisory
view changelog
2005-04-12
view advisory
view changelog
2005-04-14
view advisory
view changelog
2005-04-18
view advisory
view changelog
2005-04-20
view advisory
view changelog
MarchFebruaryJanuary
2005-03-09
view advisory
view changelog
2005-03-16
view advisory
view changelog
2005-03-28
view advisory
view changelog



Posted by on Jan 01, 2000



MS Archive

VRT Certified Rule To Microsoft Advisory Map Archive Index

VRT Home » Microsoft Archive Index

YearArchive
2010 Available here
2009 Available here
2008 Available here
2007 Available here
2006 Available here
2005 Available here
2004 Available here
2003 Available here
2002 Available here
2001 Available here
2000 Available here



Posted by on Jan 01, 2000