VRT Advisories


VRT Rules 2009-10-13

Sourcefire VRT Rules Update

Date: 2009-10-13

Synopsis:

The Sourcefire VRT is aware of multiple vulnerabilities affecting products from Microsoft and Adobe.

Details:

Microsoft Security Advisory (MS09-050):
A vulnerability in the way that Microsoft Windows systems process SMBv2.0 transactions may allow a remote attacker to execute code on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16168.

Additionally, a previously released rule to detect attacks targeting this issue has been updated with the appropriate reference information and is included in this release as GID 1, SID 15930.

Microsoft Security Advisory (MS09-051):
A vulnerability in Windows Media Runtime may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 3, SIDs 16157 and 16158.

Microsoft Security Advisory (MS09-052):
A vulnerability in the Windows Media Player may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16156.

Microsoft Security Advisory (MS09-053):
A vulnerability in the FTP service for Microsoft Internet Information Services may allow a remote attacker to execute code on an affected system.

Previously released rules to detect attacks targeting this issue have been updated with the appropriate reference information and are included in this release. They are identified with GID 1, SIDs 1973, 2374 and 15932.

Microsoft Security Advisory (MS09-054):
Microsoft Internet Explorer contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16149 through 16152.

Microsoft Security Advisory (MS09-055):
A vulnerability in the way that ActiveX controls are handled may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 16159 through 16166.

Microsoft Security Advisory (MS09-056):
A vulnerability in the way that SSL certificates are handled by the Microsoft CryptAPI may allow a remote attacker to spoof a genuine certificate.

Rules to detect attacks targeting this issue are included in this release and are identified with GID 3, SIDs 16180 and 16181.

Microsoft Security Advisory (MS09-057):
A vulnerability in the Internet Explorer indexing service may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16155.

Microsoft Security Advisory (MS09-059):
A vulnerability in the Microsoft Local Security Authority Subsystem Service (LSASS) may allow a remote attacker to cause a Denial of Service (Dos) against an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 16167.

Microsoft Security Advisory (MS09-060):
Multiple vulnerabilities in the Microsoft Active Template Library (ATL) ActiveX controls for Microsoft Office may allow a remote attacker to execute code on an affected system.

Previously released rules to detect attacks targeting this issue have been updated with the appropriate reference information and are included in this release as GID 1, SIDs 15638, 15639, 15670, 15671, 15904 and 15905.

Microsoft Security Advisory (MS09-061):
Multiple vulnerabilities in the Microsoft .NET Common Language Runtime may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16179, 16182 and 16183.

Microsoft Security Advisory (MS09-062):
Multiple vulnerabilities in Microsoft GDI+ may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16153, 16154, 16177, 16178 and 16184 through 16186.

Additionally, previously released rules that also detect attacks targeting these vulnerabilities have been updated with the appropriate reference information and are included in this release, identified with GID 3, SID 13878 and GID 1, SID 6700.

Adobe Vulnerabilities: Multiple products from Adobe corporation contain vulnerabilities that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 16172 through 16176.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.