Certified Snort Rule Information for Microsoft Security Advisories

As a member of the Microsoft Active Protections Program (MAPP), Talos recieves security vulnerability information from Microsoft so we can provide detection content to protect customers from attacks targeting these vulnerabilities.


Certified Rule Information for Microsoft Security Advisories

Microsoft Advisory Applicable Rules
Vulnerability in Microsoft Windows ATMFD font driver (CVE-2015-2426) A vulnerability exists in Microsoft Windows ATMFD font driver that may lead to remote code execution. GID 1, SIDs 35105 through 35108 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, Talos Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft Windows ATMFD font driver (CVE-2015-2387) A publicly exploited vulnerability exists in Microsoft Windows ATMFD font driver that may lead to escalation of privilege. GID 1, SIDs 35105 through 35108 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, Talos Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Adobe Flash Player and Microsoft Internet Explorer A publicly exploited vulnerability exists in Adobe Flash Player affecting Microsoft Windows versions prior to Windows 8. GID 1, SIDs 34178 and 34179 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, Talos Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft OLE Could Allow Remote Code Execution (CVE-2014-6352) The vulnerability is a remote code execution vulnerability that may be triggered when a user opens a specially crafted Microsoft Office file. Prior coverage for this vulnerability is available by using GID 1, SIDs 32186, 32187 and 32251 through 32259. These rules have been updated to include the reference information for this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, Talos Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft Internet Explorer Could Allow Remote Code Execution The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. GID 1, SIDs 30794 and 30803 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft Word Could Allow Remote Code Execution The vulnerability is a remote code execution vulnerability. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code. The vulnerability could be exploited through Microsoft Outlook only when using Microsoft Word as the email viewer. Note that by default, Microsoft Word is the email reader in Microsoft Outlook 2007, Microsoft Outlook 2010, and Microsoft Outlook 2013. GID 1, SIDs 24974 and 24975 have been updated with the appropriate reference information for this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
>Vulnerability in Microsoft Internet Explorer Could Allow Remote Code Execution> Use-after-free vulnerability in Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, as exploited in the wild in January and February 2014 For more details, including work-arounds, see the NIST CVE advisory linked to the left. GID 1, SIDs 29819 and 29820 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images. An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content. For more details, including work-arounds, see the Microsoft advisory linked to the left. GID 1, SIDs 28464 through 28471 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Internet Explorer Could Allow Remote Code Execution This is a remote code execution vulnerability in Internet Explorer 8 and Internet Explorer 9. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. For more details, including work-arounds, see the Microsoft advisory linked to the left. GID 1, SIDs 27943 and 27944 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Internet Explorer Could Allow Remote Code Execution This is a remote code execution vulnerability in Internet Explorer 8. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. For more details, including work-arounds, see the Microsoft advisory linked to the left. GID 1, SIDs 26569 through 26572 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Internet Explorer Could Allow Remote Code Execution Microsoft Internet Explorer 6, 7 and 8 contains a programming error that is manifested when Internet Explorer attempts to access an object in memory that has been deleted or improperly allocated. Successful exploitation of this vulnerability may allow a remote attacker to execute code on a vulnerable system. For more details, including work-arounds, see the Microsoft advisory linked to the left. GID 1, SIDs 25125 through 25134 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution Microsoft XML core services contains a programming error that is manifested when MSXML attempts to access an object in memory that has not been initialized. Successful exploitation of this vulnerability may allow a remote attacker to execute code on a vulnerable system. For more details, including work-arounds, see the Microsoft advisory linked to the left. GID 1, SIDs 23142 through 23146 have been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.
Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege (2639658) WEB-CLIENT Microsoft TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (3:20539) The Microsoft Windows TrueType font parsing engine contains a vulnerability that may allow a remote attacker to execute code on an affected system. A succesful exploitation of this vulnerability may allow the attacker to execute code in kernel mode. This vulnerability is also related to the Duqu malware. For more details, including work-arounds, see the Microsoft advisory linked to the left. GID 3, SID 20539 has been released to detect attacks targeting this vulnerability. Sourcefire customers can download the protection from the Sourcefire Customer Support Site, VRT Certified Rule subscribers can download the protection from snort.org.