[Emerging-updates] Daily Ruleset Update Summary 3/8/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Mar 8 16:30:34 EST 2011


Happy Patch Tuesday! We've got some goodies for you. 

MS11-015
Windows Media Player
Exploitation via crafted ms-dvr file
 2801466 - ETPRO WEB_CLIENT Windows Media ASF File Download SET (web_client.rules)
 2801467 - ETPRO WEB_CLIENT Windows Media Remote Code Execution (web_client.rules)

Insecure DLL Loading
 2801454 - ETPRO WEB_CLIENT Windows Media Player ehtrace.dll Insecure Library Loading Code Execution Flowbit Set (web_client.rules)
 2801455 - ETPRO WEB_CLIENT Windows Media Player ehtrace.dll Insecure Library Loading Code Execution (web_client.rules)
 2801456 - ETPRO WEB_CLIENT Windows Media Player ehtrace.dll Insecure Library Loading Code Execution SMB ASCII (web_client.rules)
 2801457 - ETPRO WEB_CLIENT Windows Media Player ehtrace.dll Insecure Library Loading Code Execution SMB Unicode (web_client.rules)
 2801458 - ETPRO WEB_CLIENT Windows Media Player ehtrace.dll Insecure Library Loading Code Execution SMB-DS ASCII (web_client.rules)
 2801459 - ETPRO WEB_CLIENT Windows Media Player ehtrace.dll Insecure Library Loading Code Execution SMB-DS Unicode (web_client.rules)


MS11-016
MS Office Groove
Insecure DLL Loading.
 2801460 - ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution - Set (web_client.rules)
 2801461 - ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution (web_client.rules)
 2801462 - ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution SMB ASCII (web_client.rules)
 2801463 - ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution SMB Unicode (web_client.rules)
 2801464 - ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution SMB-DS ASCII (web_client.rules)
 2801465 - ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution SMB-DS Unicode (web_client.rules)
 

MS11-017
MS RDP Client
Insecure DLL Loading
  2801468 - ETPRO WEB_CLIENT Remote Desktop Client Insecure Library Loading Flowbit Set
  2801469 - ETPRO WEB_CLIENT Remote Desktop Client Insecure Library Loading Code Execution	


Highly recommend the ISC for an objective summary of patches:
http://isc.sans.edu/diary/March+2011+Microsoft+Black+Tuesday+Summary/10510


And in other news... your regular load of sigs for today:

[+++]          Added rules:          [+++]

 2012420 - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt dsp_page.cfm pageid SELECT (web_specific_apps.rules)
 2012421 - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UNION SELECT (web_specific_apps.rules)
 2012422 - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid INSERT (web_specific_apps.rules)
 2012423 - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid DELETE (web_specific_apps.rules)
 2012424 - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid ASCII (web_specific_apps.rules)
 2012425 - ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE (web_specific_apps.rules)
 2012426 - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012427 - ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012428 - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012429 - ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012430 - ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012431 - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT (web_specific_apps.rules)
 2012432 - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT (web_specific_apps.rules)
 2012433 - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT (web_specific_apps.rules)
 2012434 - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE (web_specific_apps.rules)
 2012435 - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII (web_specific_apps.rules)
 2012436 - ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE (web_specific_apps.rules)
 2012437 - ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012438 - ET TROJAN TrojanDownloader Win32/Harnig.gen-P Reporting (trojan.rules)
 2012439 - ET TROJAN Win32.Vilsel.akd Reporting (trojan.rules)
 2012440 - ET TROJAN Downloader.Win32.Agent.bqkb Reporting (trojan.rules)
 2012441 - ET TROJAN Downloader.Win32.Banload Reporting (trojan.rules)


And the non-MS ET Pro signatures:

 2801439 - ETPRO TROJAN Generic Spanish or Portugese Trojan Infection Report (trojan.rules)
 2801440 - ETPRO TROJAN Trojan.Win32.Tatanarg.A Checkin (trojan.rules)
 2801441 - ETPRO TROJAN Backdoor.Win32.Likseput.B Checkin 1 (trojan.rules)
 2801442 - ETPRO TROJAN Backdoor.Win32.Likseput.B Checkin 2 (trojan.rules)
 2801443 - ETPRO EXPLOIT Novell Netware XNFS.NLM Stack Buffer Overflow 1 (exploit.rules)
 2801444 - ETPRO EXPLOIT Novell Netware XNFS.NLM Stack Buffer Overflow 2 (exploit.rules)
 2801445 - ETPRO EXPLOIT RedHat JBoss Enterprise Application Platform JMX Console Authentication Bypass (exploit.rules)
 2801446 - ETPRO WEB_CLIENT Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading Flowbit Set (web_client.rules)
 2801447 - ETPRO WEB_CLIENT Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading (web_client.rules)
 2801448 - ETPRO WEB_CLIENT Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading SMB ASCII (web_client.rules)
 2801449 - ETPRO WEB_CLIENT Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading SMB Unicode (web_client.rules)
 2801450 - ETPRO WEB_CLIENT Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading SMB-DS ASCII (web_client.rules)
 2801451 - ETPRO WEB_CLIENT Microsoft Internet Explorer 8 IESHIMS.DLL Insecure Library Loading SMB-DS Unicode (web_client.rules)
 2801452 - ETPRO ACTIVEX Kingview SCADA Possible ValidateUser code execution (activex.rules)
 2801453 - ETPRO USER_AGENTS Suspicious UA likely Banload Trojan Related (user_agents.rules)


[---]         Disabled rules:        [---]

Disabled for obsolescence...
 2008736 - ET MALWARE Borlander Adware Checkin (malware.rules)



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list