Going to start the thread at least, anyone seeing/doing anything for this patch for monitoring yet while it gets deployed?
Quick thoughts: (these could be done as app rules)
- watch for content meta "application/vnd.ms-fontobject"
- watch for extension meta "eot"
Also, I've attached the beginnings of what will become the "fingerprint_font" parser once it is complete, has passed testing, and is published in Live. Currently only embedded opentype font files are identified - which are the most relevant at the moment, anyway - for which it will register filetype meta "eot font".
There is also this yara rule which can be added to alert Loki/exploit_cve_2015_2426.yar at master · Neo23x0/Loki · GitHub
Retrieving data ...