2 Replies Latest reply on Dec 23, 2010 7:30 AM by SergeM

    MSO / MSIE Vector Markup Language Vulnerability


      Hi everyone


      For the past 2 days I've had a few users mentioning that when they open/send HTML mail messages they get an alert pop-up:

        McAfee Intrusion Detected Alert

        Microsoft Internet Explorer Vector Markup Language Vulnerability (2)


      I've checked and could see it in the HIPS logs.

      On the ePO Server Threat logs I see several lines


      Event Category:Host intrusion (hip.Illegal_API_Use)
      Event ID:18000
      Threat Severity:Critical
      Threat Name:3776
      Threat Type:bad_parameter
      Action Taken:Blocked
      Threat Handled:true
      Event Description:Host intrusion detected and handled
      API Name CompatFlagsFromClsid
      Detailed Event Info 10072CEC-8CC1-11D1-986E-00A0C955B42E
      Vulnerability Name Vulnerable ActiveX Control Loading A


      We're using WinXP SP3

        McAfee Agent, Host Intrusion Prevention,

        VirusScan Enterprise    DAT Version 6199     Engine Version 5400.1158


      I checked in the source code of a few HTML mail messages and there were a few more STYLE lines in the HEADER part mentioning VML but I couldn't identify anything that looked dangerous.


      I suspect this is somehow a false positive related with this weeks Microsoft patches as it started right after applying those patches.

      What makes me wonder is that I only have a few such reports and not hundreds.


      Does anyone have an idea what this could be ?