Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
5121 Views 3 Replies Latest reply: May 27, 2013 5:06 PM by tjaynes RSS
Travler The Place at McAfee Member 255 posts since
Mar 28, 2008
Currently Being Moderated

Apr 2, 2013 12:43 PM

"HTTP: Microsoft JPEG Processing Buffer Overrun"

Anyone else been getting these alerts?  We started getting them last week and get just over 100 / day on average from a multitude of external IPs.  The Destination IP is usually our McAfee Web Gateway, although every now and then there will be the IP of an internal workstation; so far there have been less than 10 different workstations, each with one "hit".  It looks like the vulnerability is old (2004) so I'm rather surprised at seeing it.  I blocked it yesterday afternoon and, so far, no one has screamed.



ePO 4.6.6 (Build: 176)

VSE, 5400 Engine (2600+ systems)
EE Agent
I-2700 Sensor

MWG (17286)
MWR 5.2 (Build: 1086)
MFE 8.3.2 Patch2
  • dt1 Newcomer 12 posts since
    Apr 17, 2013
    Currently Being Moderated
    1. Apr 17, 2013 3:08 PM (in response to Travler)
    Re: "HTTP: Microsoft JPEG Processing Buffer Overrun"

    Yes, since 2 sigset updates ago, this has quickly become a top event.  i was expecting a sig update/mod for this attack in the last update, but it did not occur.


    Hopefully there is more to it, but this attack corresponds to CVE 2004-0200, with Microsoft issuing a patch in Sept 2004 included in SP1 for Windows XP.  So not really applicable today.

  • tjaynes Newcomer 19 posts since
    May 27, 2013
    Currently Being Moderated
    3. May 27, 2013 5:06 PM (in response to Travler)
    Re: "HTTP: Microsoft JPEG Processing Buffer Overrun"

    Agreed with the old vulnerability not being relative if the system is patched for it; you can just filter it at this point once the workstation is confirmed as patched. If it's your destination web gateway, then it's most likely internet traffic that's triggering it. If you're web gateway isn't "tranparent", where the external IP shows in the web gateway logs, then it's most likely internet bound traffic. We see similar things with our gateway's/proxies; where the destination is the gateway/proxy, and not the external site which shows up in the pcaps.


    You can also open a case with McAfee and they'll lead you through this process to submit false positives: KB 55743 ale=en_US&searchid=1369692261443

    You'll submit packet captures up to them and they'll use these to better tune the signature for future sig set releases.

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points