Thursday, September 9, 2021

Snort rule update for Sept. 9, 2021 — New coverage for Microsoft MSHTML zero-day

The latest SNORT rule update is available this morning, including new coverage for the recently disclosed zero-day vulnerability in Microsoft MSHTML

Users are encouraged to deploy SIDs 58120 – 58129 to detect and prevent the exploitation of CVE-2021-40444, which Microsoft disclosed earlier this week. If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control. The Microsoft advisory also stated that proof-of-concept code for this vulnerability is available in the wild. 

Here's a full breakdown of this rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
0192

There were no changes made to the snort.conf in this release.

Talos' rule release: 

Today Talos is releasing coverage to detect exploitation attempts of Microsoft Office ActiveX control abuse, designated under CVE-2021-40444. Coverage is being released as SIDs 58120-58129 and native Snort 3 SID 300049. Talos may release additional coverage in the future as the situation develops and new guidance is created.

Talos has added and modified multiple rules in the file-office, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements. Upgrade here.