This release contains 76 new rules and five modified rules
Tuesday's release provides coverage for two notable vulnerabilities that have made headlines over the past month — some in vBulletin and others in Apple's WebKit.
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-image, file-office, file-other, indicator-compromise, os-linux, os-mobile, os-other, os-windows, policy-other, protocol-imap, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
Here are two sets of rules we wish to specifically highlight:
- 51834 - 51837: A now-patched vulnerability in the popular service vBulletin is allowing attackers to completely take over sites that use the software. vBulletin powers the commenting functions for many popular sites. An attacker could exploit this vulnerability to gain the ability to remotely execute malicious code on any vBulletin server running versions 5.0.0 through 5.5.4. This bug was initially dropped as a zero-day by an anonymous user, but has since been patched by the company. These Snort rules prevent any attempt to inject code into the server using this bug. Marcos Rodriguez wrote these rules.
- 51821 - 51824, 51831, 58132: Multiple vulnerabilities in Apple's WebKit is allowing attackers to serve users' malicious advertisements. This campaign affected the Google Chrome and Safario web browsers on iOS and MacOS, but the vulnerabilities were all patched out in
Apple's latest series of security updates. All of the ads centered around the user's specific mobile carrier, hoping to entice them to visit malicious websites. The vulnerabilities would allow the ads to break out of any sandboxes in place. John Levy wrote these rules.