VRT Advisories


VRT Rules 2006-06-15

Sourcefire VRT Update

Date: 2006-06-15

Synopsis:

The Sourcefire VRT has learned of multiple vulnerabilities affecting Microsoft Internet Explorer, Windows Media Player and the Microsoft Operating System.

Details:

Microsoft Security Bulletin MS06-021 Internet Explorer does not correctly handle input to certain ActiveX controls. It is possible for an attacker to supply data of their choosing to the DXImageTransform.Microsoft.Light ActiveX control and execute code on the affected host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6516 through 6519 and 6680 through 6687.

Microsoft Security Bulletin MS06-024 Windows Media Player is vulnerable to a stack based buffer overflow condition that can be exploited by an attacker via a PNG image with a large chunk size.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6688 through 6701.

Microsoft Security Bulletin MS06-025 Microsoft operating systems using Routing and Remote Access (RRAS) are vulnerable to a memory corruption problem that may be exploited by unauthenticated users. This may lead to code of the attackers choosing being run on an affected host.

Rules to detect attacks against this vulnerability are included in this rule pack and are identified as sids 6584 through 6679.

Microsoft Security Bulletin MS06-032 The TCP/IP stack in Microsoft Windows systems is vulnerable to remote code execution. The stack does not correctly process loose and strict source code routing packets which may present an attacker with the opportunity to execute code of their choosing on an affected system.

Rules to detect attacks against this vulnerability are already available and are identified as sids 500 and 502.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.