Snort Rule for setSlice 0-day

Posted Wed, 2006-09-27 08:49 by Christopher

Here's a snort rule to attempt detection of the new setSlice 0-day:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE
EXPLOIT MSIE WebViewFolderIcon setSlice invalid memory copy";
flow: to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice";
nocase; content:"0x7ffffff"; nocase; reference:url,riosec.com/msie-setslice-vuln;
reference:url,osvdb.org/27110; classtype: attempted-user; sid: 1000001; rev:1; )

Update: This rule is now included in the Bleeding Snort sigs.