cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 5

CVE-2021-40444-IPS Rule 2844 brings Error Message while closing Word 2016 DE/EN even with

Jump to solution

CVE-2021-40444 - MSHTML Remote Code Execution

Hello,

IPS Rule 2844 brings Error Message while closing WinWord 2016 DE/EN PRO-ENT Volume Licence even with empty WinWord!

https://kc.mcafee.com/corporate/index?page=content&id=KB94876

Of the recommended steps outlined in the article, some success has been shown with ENS Exploit Prevention signature "2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability" against known IOCs, although this rule is considered aggressive and might result in false positives. So, you should completely test this recommendation before applying it to production systems. New signature coverage for Exploit Prevention has been determined to be out-of-scope.

 

Questions:

Does the Extra DAT just protect about the patterns, files, URL or in general for the LEAK CVE-2021-40444?

IPS Rule 2844 is UNUSABLE how it is except you want an ERROR on every WinWord and hundreds of support calls.

Any Feedback from Mcafee? Please update the IPS rule so at least it does not throw an error on a standard Office 2016 with EMTPY document.

 

 

2021-09-09 11_43_47-w10 - VMware Workstation.jpg

2 Solutions

Accepted Solutions
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: CVE-2021-IPS Rule 2844 brings Error Message while closing Windows 2016 DE/EN even with empty Win

Jump to solution

Hi @SWISS ,

I'm sorry to hear about the False Positive detection with EP rule 2844.

EXTRA.DAT has coverage for IOCs mentioned in KB94876.

Unfortunately, new signature coverage for Exploit Prevention has been determined to be out-of-scope.

We are exploring other coverage opportunities. Please subscribe to the aforementioned KB for any updates.

Thanks.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

CVE-2021-40444-IPS, Windows Patches are out 15.09.2021, which solve this Leak/Exploit fully from

Jump to solution

Windows Patches are out 15.09.2021, which solve this Leak/Exploit fully from Microsoft.

View solution in original post

4 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: CVE-2021-IPS Rule 2844 brings Error Message while closing Windows 2016 DE/EN even with empty Win

Jump to solution

Hi @SWISS ,

I'm sorry to hear about the False Positive detection with EP rule 2844.

EXTRA.DAT has coverage for IOCs mentioned in KB94876.

Unfortunately, new signature coverage for Exploit Prevention has been determined to be out-of-scope.

We are exploring other coverage opportunities. Please subscribe to the aforementioned KB for any updates.

Thanks.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 5

Re: CVE-2021-IPS Rule 2844 brings Error Message while closing Windows 2016 DE/EN even with empty Win

Jump to solution

Pravas, thank you.

 

Please clarify "Out of scope" in the Mcafee KB so everybody understands it. Out of scope for us means it does not work for an actual 0-day or latest derivat of an exploit. It does not say it generates an error warning in Winword as shown by us. A false woiuld be a block without any crash or error app side.

 

Thank you

 

Re: CVE-2021-IPS Rule 2844 brings Error Message while closing Windows 2016 DE/EN even with empty Win

Jump to solution

Hi @Pravas  

The expert rules provided in the #KB94876 compilation is getting failed.

Have you tested it? or Am I missing something?

Thanks

SWISS
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 5

CVE-2021-40444-IPS, Windows Patches are out 15.09.2021, which solve this Leak/Exploit fully from

Jump to solution

Windows Patches are out 15.09.2021, which solve this Leak/Exploit fully from Microsoft.

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community