Friday, May 4, 2012

VRT Rule Update for 05/04/2012, #2 (Adobe 0day coverage)

In this release we introduced 9 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.

This second release of the day provides coverage for CVE-2012-0779, which is discussed here on Adobe's site. Included in this update is more generic coverage for the attack vector surrounding this attack that is being seen in the wild. The "INDICATOR-OBFUSCATION" rules below may very well catch a ton of additional exploit methods other than the Adobe attack referenced above.

Since the usual link on Snort.org isn't currently working, I'm posting the sid and rule msg's here:


22066(1) "POLICY Microsoft Office Word ScriptBridge OCX controller attempt"
22067(1) "MISC Adobe Flash malformed error response"
22068(1) "SPECIFIC-THREATS Adobe Flash systemMemoryCall RTMP query"
22069(1) "SPECIFIC-THREATS Adobe Flash Player object confusion attempt"
22070(1) "SPECIFIC-THREATS Adobe Flash Player object confusion attempt"
22071(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"
22072(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"
22073(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"
22074(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the indicator-obfuscation, misc and specific-threats rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

No comments:

Post a Comment