2 Replies Latest reply on Jun 4, 2010 7:21 AM by kleicht

    Microsoft Outlook Date Field Buffer Overflow

      Hello,

       

      I'm brand new to the community. We have our I-2700 set to automatically download and apply signature sets. On Friday morning, when the new sigset kicked it (6.4.11.18), we started to get a lot of alerts:

       

           SMTP: Microsoft Outlook Date Field buffer Overflow

       

      Unfortunately, it turns out that this was blocking email from several legitimate sites, including and most importantly, it was blocking Blackberry activations.

       

      I've had to put in an alert filter and have opened a ticket with Mcafee, but I'm wondering if anyone else is seeing the same issue with the new sigset.

        • 1. Re: Microsoft Outlook Date Field Buffer Overflow
          SGROSSEN

          Kevin,

           

          We have identified this as an issue, and released the following SNS bulletin about it today.   Please give it a read through and adjust the signature accordingly if needed.   Also, we will be releasing a follow up sigset to address this issue sometime later today or tomorrow, so look for that on the download server.  Thanks

           

          ----------------------

           

          BACKGROUND

          The May 27 Signature Set releases (4.1.74.18|5.1.44.18|6.4.11.18) included protocol enhancements that may incorrectly identify the following signature — “SMTP: Microsoft Outlook Date Field Buffer Overflow – Attack ID 0x40405300.” No changes were made to the attack detection mechanism for this signature (1st released in Feb 2003).

           

          BEHAVIOR

          The signature is enabled for monitoring by default, but is NOT enabled for blocking by default. If you have enabled blocking for this particular signature, you may see some SMTP traffic getting dropped by this signature.

           

          WORKAROUND

          1.     Disable the signature. This will stop SMTP monitoring & blocking for this particular signature.

          *OR*

          2.     Roll back to signature sets 4.1.73.4|5.1.43.4|6.4.10.5 released on May 11, 2010 from NSM

          *OR*

          3.     Upload *Special* Signature Set release that will be available later on June 3, 2010 (US CDT)

           

          McAfee will send a follow-up email when the *Special* Signature Set is available. For more information, please go to https://mysupport.mcafee.com, log in, and access KnowledgeBase article KB69033.

           

          NOTE: NEXT SIGNATURE SET RELEASE

          The next in-band Signature Set Release will be on Tuesday, June 8, 2010 (US CDT).

           

           

          Message was edited by: Steve Grossenbacher on 6/3/10 5:46:28 PM CDT
          • 2. Re: Microsoft Outlook Date Field Buffer Overflow

            Many thanks. I also got the SNS notice on this, and have disabled the signature. I'll wait until next week's sig comes out and re-enable blocking on this attack then. Cheers, Kevin