1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
Rule:
--
Sid:
2577
--
Summary:
This event is generated when an attempt is made to exploit a known
vulnerability in Microsoft Internet Explorer.
--
Impact:
Serious. Execution of arbitrary code may be possible.
--
Detailed Information:
Internet Explorer does not correctly handle the validation of data from
an external source when processing data in a frame from a redirected
source. This may lead to the execution of arbitrary code in the context
of the Local Machine zone.
It may be possible for an attacker to supply an HTTP 300 response from a
webserver that points to a local file on the victim host. If the
attacker includes code of their choosing, this code is executed in the
context of the trusted Local Machine zone.
--
Affected Systems:
Microsoft Internet Explorer
Microsoft Outlook
Microsoft Outlook Express
--
Attack Scenarios:
An attacker would need to supply an HTTP 300 series code to redirect the
contents of a frame to a local resource on the victim host.
--
Ease of Attack:
Simple. Exploits exist.
--
False Positives:
A valid 300 server response that uses the Location parameter to redirect
users to a new location may generate an event.
--
False Negatives:
None known.
--
Corrective Action:
Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.
Disable Active Scripting and ActiveX
Disable the use of HTML email
Use a browser other than Internet Explorer
--
Contributors:
Original Snort documentation contributed by nnposter@users.sourceforge.net
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
--
Additional References:
--
|
