Rule Document 1:35170

Rule Category

BROWSER-IE -- Snort has detected traffic known to exploit vulnerabilities present in the Internet Explorer browser, or products that have the Trident or Tasman engines.

Alert Message

BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt

Rule Explanation

This rule alerts on specifically crafted traffic that triggers a use after free condition in the MutationObserver function of Microsoft Internet Explorer.

What To Look For

This rule alerts on specifically crafted traffic that triggers a use after free condition in the MutationObserver function of Microsoft Internet Explorer.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

Vulnerability::Severity::Critical

Vulnerability::Severity::High

MITRE::ATT&CK Framework::Enterprise::Initial Access::Drive-by Compromise

MITRE::ATT&CK Framework::Enterprise::Execution::User Execution::Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

CVE

CVE-2015-2425

Additional Links

technet.microsoft.com/en-us/security/bulletin/ms15-065

Rule Vulnerability

Use After Free

Use After Free (UAF) attacks target computer memory flaws to corrupt the memory execute code. The name refers to attempts to use memory after it has been freed, which can cause a program to crash under normal circumstances, or result in remote code execution in a successful attack.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

CVE-2015-2425

Loading description