Tools:

Web Tools:

Mind Games:

Papers:

See also:

Contact:

Sourcefire Vulnerability Research Team Labs

VRT Certified Rule Information for Microsoft Security Advisories

As part of the Microsoft Active Protections Program (MAPP), the Sourcefire VRT has released detection content to help protect customers from attacks targeting the vulnerabilities for the following Microsoft Security Advisories:

Microsoft Advisory: Applicable Rules:
Vulnerability in Microsoft Word Could Allow Remote Code Execution
The vulnerability is a remote code execution vulnerability. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code. The vulnerability could be exploited through Microsoft Outlook only when using Microsoft Word as the email viewer. Note that by default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013.
GID 1, SIDs 24974 and 24975 have been updated with the appropriate reference information for this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft Internet Explorer Could Allow Remote Code Execution
Use-after-free vulnerability in Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, as exploited in the wild in January and February 2014
For more details, including work-arounds, see the NIST CVE advisory linked to the left.
GID 1, SIDs 29819 and 29820 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content.
For more details, including work-arounds, see the Microsoft advisory linked to the left.
GID 1, SIDs 28464 through 28471 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Internet Explorer Could Allow Remote Code Execution
This is a remote code execution vulnerability in Internet Explorer 8 and Internet Explorer 9. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
For more details, including work-arounds, see the Microsoft advisory linked to the left.
GID 1, SIDs 27943 and 27944 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Internet Explorer Could Allow Remote Code Execution
This is a remote code execution vulnerability in Internet Explorer 8. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
For more details, including work-arounds, see the Microsoft advisory linked to the left.
GID 1, SIDs 26569 through 26572 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Microsoft Internet Explorer 6, 7 and 8 contains a programming error that is manifested when Internet Explorer attempts to access an object in memory that has been deleted or improperly allocated. Successful exploitation of this vulnerability may allow a remote attacker to execute code on a vulnerable system.
For more details, including work-arounds, see the Microsoft advisory linked to the left.
GID 1, SIDs 25125 through 25134 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Microsoft XML core services contains a programming error that is manifested when MSXML attempts to access an object in memory that has not been initialized. Successful exploitation of this vulnerability may allow a remote attacker to execute code on a vulnerable system.
For more details, including work-arounds, see the Microsoft advisory linked to the left.
GID 1, SIDs 23142 through 23146 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege (2639658) WEB-CLIENT Microsoft TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (3:20539)
The Microsoft Windows TrueType font parsing engine contains a vulnerability that may allow a remote attacker to execute code on an affected system. A succesful exploitation of this vulnerability may allow the attacker to execute code in kernel mode. This vulnerability is also related to the Duqu malware.
For more details, including work-arounds, see the Microsoft advisory linked to the left.
GID 3, SID 20539 has been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.

Microsoft Advisory to Rule mapping archive

View the archive

('DiggThis') Delicious

About the Sourcefire Vulnerability Research Team

The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

All materials contained on this site © Sourcefire VRT