[Emerging-Sigs] Signature for Microsoft Internet Explorer MSHTML Findtext Processing Issue

Joel Esler jesler at sourcefire.com
Fri Oct 29 08:24:18 EDT 2010


It would probably be better to find the proper CVE for annotation.

J

On Oct 29, 2010, at 8:17 AM, dave richards wrote:

> Hi,
> 
> Ok..If that sounds confusing, Better to remove that CVE 
> 
> Please find the modified Sig below
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB-ATTACKS Microsoft Internet Explorer MSHTML Findtext Remote Code Execution Attempt"; flow:to_client,established; content:"type="; nocase; distance:0; content:"id=\"Abysssec\""; nocase; distance:0; content:"textRange."; nocase; distance:0; content:"findText("; nocase; distance:0; classtype:attempted-user; reference:url,exploit-db.com/exploits/15122; reference:url,exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue; sid:20111020; rev:1;) 
> 
> 
> 
> On Fri, Oct 29, 2010 at 11:09 AM, Daniel Clemens <daniel.clemens at packetninjas.net> wrote:
> 
> On Oct 28, 2010, at 9:29 PM, dave richards wrote:
> 
> > reference:cve,CVE-2010-2553; reference:url,exploit-db.com/exploits/15122; reference:url,exploit-db.com/moaub-27-microsoft-internet-explorer-mshtml-findtext-processing-issue; sid:20111020; rev:1;)
> 
> 
> Are you sure the CVE reference is correct?
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2553
> "The Cinepak codec in Microsoft Windows XP SP2 and SP3, Windows Vista SP1 and SP2, and Windows 7 does not properly decompress media files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Cinepak Codec Decompression Vulnerability.""
> 
> | Daniel Uriah Clemens
> | Packetninjas L.L.C | | http://www.packetninjas.net
> | c. 205.567.6850      | | o. 866.267.8851
> "Moments of sorrow are moments of sobriety"
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> 
> 
> 
> -- 
> Regards,
> Dave
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101029/0916fd59/attachment-0001.html


More information about the Emerging-sigs mailing list