2 Replies Latest reply on Dec 23, 2010 7:30 AM by SergeM

    MSO / MSIE Vector Markup Language Vulnerability

    SergeM

      Hi everyone

       

      For the past 2 days I've had a few users mentioning that when they open/send HTML mail messages they get an alert pop-up:


        McAfee Intrusion Detected Alert

        Microsoft Internet Explorer Vector Markup Language Vulnerability (2)

       

      I've checked and could see it in the HIPS logs.

      On the ePO Server Threat logs I see several lines

       

      Event Category:Host intrusion (hip.Illegal_API_Use)
      Event ID:18000
      Threat Severity:Critical
      Threat Name:3776
      Threat Type:bad_parameter
      Action Taken:Blocked
      Threat Handled:true
      Event Description:Host intrusion detected and handled
      API Name CompatFlagsFromClsid
      Detailed Event Info 10072CEC-8CC1-11D1-986E-00A0C955B42E
      Vulnerability Name Vulnerable ActiveX Control Loading A

       

      We're using WinXP SP3

        McAfee Agent 4.5.0.1499, Host Intrusion Prevention 7.0.0.1159,

        VirusScan Enterprise 8.7.0.570.Wrk    DAT Version 6199     Engine Version 5400.1158

       

      I checked in the source code of a few HTML mail messages and there were a few more STYLE lines in the HEADER part mentioning VML but I couldn't identify anything that looked dangerous.

       

      I suspect this is somehow a false positive related with this weeks Microsoft patches as it started right after applying those patches.

      What makes me wonder is that I only have a few such reports and not hundreds.

       

      Does anyone have an idea what this could be ?

       

      thanks

        Serge