Talos Rules 2016-01-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-001: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 33287 through 33288, and 33897 through 33898.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 37283 through 37284.

Microsoft Security Bulletin MS16-002: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37279 through 37280.

Microsoft Security Bulletin MS16-004: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37259 through 37260, 37273 through 37274, and 37281 through 37282.

Microsoft Security Bulletin MS16-005: A coding deficiency exists in Microsoft kernel-mode drivers that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37265 through 37266.

Microsoft Security Bulletin MS16-006: A coding deficiency exists in Microsoft Silverlight that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37267 through 37268.

Microsoft Security Bulletin MS16-007: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37257 through 37258, 37261 through 37264, and 37275 through 37278.

Microsoft Security Bulletin MS16-008: A coding deficiency exists in the Microsoft kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37269 through 37272.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-office, file-other, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-01-12 19:03:11 UTC

Snort Subscriber Rules Update

Date: 2016-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules)
 * 1:37291 <-> DISABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37292 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37290 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37289 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37281 <-> DISABLED <-> FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt (file-other.rules)
 * 1:37282 <-> DISABLED <-> FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt (file-other.rules)
 * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules)
 * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules)
 * 1:37287 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules)
 * 1:37265 <-> ENABLED <-> FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt (file-office.rules)
 * 1:37266 <-> ENABLED <-> FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt (file-office.rules)
 * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37269 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37271 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37270 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37272 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37273 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF parser heap overflow attempt (file-office.rules)
 * 1:37274 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF parser heap overflow attempt (file-office.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules)
 * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules)
 * 1:37288 <-> DISABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37277 <-> ENABLED <-> OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt (os-windows.rules)
 * 1:37259 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt (file-office.rules)
 * 1:37278 <-> ENABLED <-> OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt (os-windows.rules)
 * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules)
 * 1:37260 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt (file-office.rules)
 * 1:37286 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37285 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)

Modified Rules:


 * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:33898 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
 * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:33288 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33897 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:32377 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
 * 1:33287 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)

2016-01-12 19:03:11 UTC

Snort Subscriber Rules Update

Date: 2016-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37282 <-> DISABLED <-> FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt (file-other.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37281 <-> DISABLED <-> FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt (file-other.rules)
 * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules)
 * 1:37259 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt (file-office.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules)
 * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules)
 * 1:37265 <-> ENABLED <-> FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt (file-office.rules)
 * 1:37266 <-> ENABLED <-> FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt (file-office.rules)
 * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37269 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37270 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37271 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37272 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37273 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF parser heap overflow attempt (file-office.rules)
 * 1:37274 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF parser heap overflow attempt (file-office.rules)
 * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules)
 * 1:37277 <-> ENABLED <-> OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt (os-windows.rules)
 * 1:37278 <-> ENABLED <-> OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt (os-windows.rules)
 * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules)
 * 1:37260 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt (file-office.rules)
 * 1:37292 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37291 <-> DISABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37290 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37289 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37288 <-> DISABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37287 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37286 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules)
 * 1:37285 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)

Modified Rules:


 * 1:32377 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
 * 1:33287 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33897 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:33898 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)

2016-01-12 19:03:09 UTC

Snort Subscriber Rules Update

Date: 2016-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37292 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37291 <-> DISABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37290 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37289 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37288 <-> DISABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37287 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37286 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37285 <-> ENABLED <-> SERVER-OTHER Trend Micro local node.js http command execution attempt (server-other.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37282 <-> DISABLED <-> FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt (file-other.rules)
 * 1:37281 <-> DISABLED <-> FILE-OTHER Microsoft Office MScomctl.ocx memory leak attempt (file-other.rules)
 * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37278 <-> ENABLED <-> OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt (os-windows.rules)
 * 1:37277 <-> ENABLED <-> OS-WINDOWS Microsoft Windows devenum.dll device moniker underflow attempt (os-windows.rules)
 * 1:37276 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules)
 * 1:37275 <-> ENABLED <-> OS-WINDOWS Microsoft Windows feclient.dll dll-load exploit attempt (os-windows.rules)
 * 1:37274 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF parser heap overflow attempt (file-office.rules)
 * 1:37273 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF parser heap overflow attempt (file-office.rules)
 * 1:37272 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37271 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37270 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37269 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules)
 * 1:37266 <-> ENABLED <-> FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt (file-office.rules)
 * 1:37265 <-> ENABLED <-> FILE-OFFICE Microsoft Office metafile conversion out of bounds read attempt (file-office.rules)
 * 1:37264 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules)
 * 1:37263 <-> ENABLED <-> FILE-OFFICE Microsoft Office api-ms-win-core-winrt-l1-1-0.dll dll-load exploit attempt (file-office.rules)
 * 1:37262 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules)
 * 1:37261 <-> ENABLED <-> FILE-OFFICE Microsoft Office mfplat.dll dll-load exploit attempt (file-office.rules)
 * 1:37260 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt (file-office.rules)
 * 1:37259 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel mso20win32client use after free attempt (file-office.rules)
 * 1:37258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules)
 * 1:37257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mapi32x.dll dll-load exploit attempt (browser-ie.rules)

Modified Rules:


 * 1:20128 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
 * 1:31772 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cridex variant outbound connection (malware-cnc.rules)
 * 1:32377 <-> DISABLED <-> FILE-OFFICE Microsoft Office invalid MS-OGRAPH DataFormat buffer overflow attempt (file-office.rules)
 * 1:33287 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33288 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
 * 1:33897 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:33898 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer javascript iframe injection attempt (browser-ie.rules)
 * 1:36500 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)
 * 1:36501 <-> ENABLED <-> FILE-OTHER Microsoft Word WordPerfect CSTYL border element stack overflow attempt (file-other.rules)