cancel
Showing results for 
Search instead for 
Did you mean: 
SergeM
Level 9

MSO / MSIE Vector Markup Language Vulnerability

Jump to solution

Hi everyone

For the past 2 days I've had a few users mentioning that when they open/send HTML mail messages they get an alert pop-up:


  McAfee Intrusion Detected Alert

  Microsoft Internet Explorer Vector Markup Language Vulnerability (2)

I've checked and could see it in the HIPS logs.

On the ePO Server Threat logs I see several lines

Event Category:Host intrusion (hip.Illegal_API_Use)
Event ID:18000
Threat Severity:Critical
Threat Name:3776
Threat Type:bad_parameter
Action Taken:Blocked
Threat Handled:true
Event Description:Host intrusion detected and handled
API Name CompatFlagsFromClsid
Detailed Event Info 10072CEC-8CC1-11D1-986E-00A0C955B42E
Vulnerability Name Vulnerable ActiveX Control Loading A

We're using WinXP SP3

  McAfee Agent 4.5.0.1499, Host Intrusion Prevention 7.0.0.1159,

  VirusScan Enterprise 8.7.0.570.Wrk    DAT Version 6199     Engine Version 5400.1158

I checked in the source code of a few HTML mail messages and there were a few more STYLE lines in the HEADER part mentioning VML but I couldn't identify anything that looked dangerous.

I suspect this is somehow a false positive related with this weeks Microsoft patches as it started right after applying those patches.

What makes me wonder is that I only have a few such reports and not hundreds.

Does anyone have an idea what this could be ?

thanks

  Serge

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: MSO / MSIE Vector Markup Language Vulnerability

Jump to solution

McAfee has been notified of potential false positive signature detections after applying MS2416400, which is included in the MS10-090 security update released by Microsoft on December 15, 2010. 

For additional information, see KnowledgeBase article KB70810:
https://kc.mcafee.com/corporate/index?page=content&id=KB70810

0 Kudos
2 Replies
McAfee Employee

Re: MSO / MSIE Vector Markup Language Vulnerability

Jump to solution

McAfee has been notified of potential false positive signature detections after applying MS2416400, which is included in the MS10-090 security update released by Microsoft on December 15, 2010. 

For additional information, see KnowledgeBase article KB70810:
https://kc.mcafee.com/corporate/index?page=content&id=KB70810

0 Kudos
SergeM
Level 9

Re: MSO / MSIE Vector Markup Language Vulnerability

Jump to solution

Hi,

Thanks a lot, this helped.

I just wish I didn't have to disable the signature as I'm worried some users aren't up-to-date with patches

Wishing you a merry X-mas or whichever non-denominational greeting you might prefer

  Serge

0 Kudos