No issues here with the extra.dat; about 40,000 nodes. But as mentioned above, I am not even sure at this point if the extra.dat applies/works/effective with VSE. Still waiting for a response from our account rep on that one.
The blog about this was corrected since I last complained to our SAM:
Part 1: it's an IE / MS issue, you should put your money on thaton 4/30/14 5:04:25 AM CDT
The underlying issue is with the legacy VML. Unregistering VGX.DLL does the trick until an MS security update comes out. Only problem is: you'll need the re-register VGX.DLL to apply the update when MS releases it.
The way to exploit it is a well-known method using vulnerable Flash:
Patch flash to v13.0 on Windows and you break the current method of exploit, it buys you some time until the full protection is available from McAfee.Message was edited by: malware-alerts on 4/30/14 10:54:31 AM CDT
Until the DAT comes out, HIPS signature 428, Generic Buffer Overflow, will catch this activity if it occurs. By default that's a HIGH signature. A simple Threat Event query with the filter set to look for buffer in the Signature Name (Host IPS) will show you any hits.
Microsoft are issuing an emergency update to address this vulnerability.
ALL versions of windows will receive this fix. Including XP.
kenobe, how did you get this information about sig 428? Did McAfee Support tell you or did you have the exploit in your environment.
If you have it in your environment, can you post the HIPS event, I would like to see the IPS Parameter and IPS Parameter value.
did you track this back to specific website? thx for the info.
I got the info about the HIPS event description from here:
Looked up Generic Buffer Overflow in the McAfee Default IPS rules - 428.
I haven't seen it at my site but can post info if I do before the eventual patch is applied.
Applying the latest flash update (18.104.22.168) works, basically closes the bridge needed to exploit CVE-2014-1776.Message was edited by: malware-alerts on 4/28/14 2:25:04 PM CDT