1 2 3 Previous Next 20 Replies Latest reply: Dec 1, 2014 2:08 PM by wwarren RSS

    Configuring buffer overflow exclusions VSE 8.8

    DeanBaker

      Hi All.

       

      I’d like some help and advice on configuring the buffer overflow exclusionsin VSE 8.8. Like most of you, since upgrading to patch 4 I have had numerousproblems on user pc / citrix server where the buffer overflow has beentriggered. At the moment it seems to be Office 2003 and IE8 causing theproblem. The workaround (if I’m right in saying as these are legitimate) is toeither turn off BOP or to add exclusions. I’d rather do the latter and leave BOPon. I’d like to add the exclusions with as much info as possible so at least itwon’t be complete off for that process.

       

      The errors I’m mainly seeing are:

       

      C:\Program Files\InternetExplorer\iexplore.exe:NTDLL.KiUserExceptionDispatcher::6d4ac228   BO:Image BO:Writable

      D:\Program Files\MicrosoftOffice\OFFICE11\OUTLOOK.EXE:NTDLL.KiUserExceptionDispatcher::73    BO:Memory

       

       

      From that info what do I need to put in the 3 boxes for the exclusions(process, module and API)?

       

      I guess the process is iexplore.exe & OUTLOOK.EXE :-) wouldKiUserExceptionDispatcher be the module and 6d4ac228 & 73 be the API?

       

      As you can tell I’m way out of my depth here.

       

       

      Thanks all.

        • 1. Re: Configuring buffer overflow exclusions VSE 8.8
          pato

          To fix the IE issues, update to at least IE9 and clean out all temporary files. That should normaly fix it. Sometimes some outdated Add-Ins can also cause issues.

          I can't help with Office 2003, but in general, install all updates and maybe remove outdated plugins and it might already work.

          • 2. Re: Configuring buffer overflow exclusions VSE 8.8
            DeanBaker

            Thanks for the reply Pato. We cannot go to IE9 as the OS on the server is 2003 R2 so IE8 is the latest and it's fully patched. The same goes for office, we are not in a position yet to upgrade toi Office 2010 / 2013.

             

            Can anyone else help me out with the exclusions?

            • 3. Re: Configuring buffer overflow exclusions VSE 8.8
              llamamecomoquieras

              Hi Dean,

               

              Try to create the exclusions, using only the process name and leaving the other two fields in blank.

               

              As you said the processes are IEXPLORER.exe and OUTLOOK.exe

               

              From my experience only using process name it works.

               

              Best regards,

              • 4. Re: Configuring buffer overflow exclusions VSE 8.8
                jloader1

                Does leaving the other two fields blank (Module & API) leave you open for vulnerability though?

                 

                We have also implemented Patch Level 4 and are experiencing the same issue.  We are currently tracking all of the reported BOP alerts and have found that a majority of them are AcroRd32.exe & iexplore.exe related.  I'm just hesitant to globally exclude these two processes since they are used by many exploits.

                 

                Guidance on this would be appreciated.

                 

                Thanks.

                 

                Message was edited by: jloader1 on 5/15/14 11:40:56 AM GMT-05:00
                • 5. Re: Configuring buffer overflow exclusions VSE 8.8
                  llamamecomoquieras

                  As far I am aware McAfee will release a fix for that, so I reckon to open a case and they will give you more info. Be aware that

                  Old software like office 2000 or Office 2003 is not supported for DEP and the only way to get rid of the issue is creating and exclusion. If you check in kc mcafee.com for Vse p4 bof violation you will get more info.

                   

                  Best regards

                  • 6. Re: Configuring buffer overflow exclusions VSE 8.8
                    Richard Carpenter

                    Hi,

                     

                    We discovered a similar issue. McAfee released an SNS Notice on March 7th highlighting this issue and have created a KB here https://kc.mcafee.com/corporate/index?page=content&id=KB81308

                     

                    The above KB explains why this happens and some solutions and work arounds.

                     

                    Rich

                    • 7. Re: Configuring buffer overflow exclusions VSE 8.8
                      jloader1

                      Thanks for the response Rich.  I have seen the KB article.  My concern lies in giving any process a sort of "free pass" if you have the ability to add module & API.  It's a balancing act for sure.  Vast number of modules, tons of API's, exclusion list could be potentially limitless vs. the risk of allowing any process named iexplore or acrord32 (hackers favorites).   We've not seen the same API flagged by BOP twice (if I'm understanding the log entries correctly).  Disabling BOP is not an option in our enterprise.

                       

                      Thanks.

                      • 8. Re: Configuring buffer overflow exclusions VSE 8.8
                        Travler

                        C:\Program Files\InternetExplorer\iexplore.exe:NTDLL.KiUserExceptionDispatcher::6d4ac228   BO:Image BO:Writable

                        D:\Program Files\MicrosoftOffice\OFFICE11\OUTLOOK.EXE:NTDLL.KiUserExceptionDispatcher::73     BO:Memory

                         

                         

                        From that info what do I need to put in the 3 boxes for the exclusions(process, module and API)?

                         

                        I guess the process is iexplore.exe & OUTLOOK.EXE :-) would KiUserExceptionDispatcher be the module and 6d4ac228 & 73 be the API?

                        We're having iexplore.exe (and explorer.exe) issues, too.  I was wondering the same thing about the "module" and "api" settings.

                        Can someone confirm that DeanBaker is correct in his assumption as to what we should be entering in these exclusion setting fields?

                         

                        Thanks!

                        • 9. Re: Configuring buffer overflow exclusions VSE 8.8
                          bccol

                          I've had an issue with one of our users where BOP was blocking them when trying to import scanned documents into one of our data systems. This was solved after adding the exception for svchost.exe on their machine by policy as described below.

                           

                          20/06/2014 09:33:46 Blocked by Buffer Overflow Protection  NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe:NTDLL.KiUserExceptionDispatcher::74736552 BO:Stack

                           

                          Using the info above from the BufferOverFlowLog I added NTDLL.KiUserExceptionDispatcher to the module field and then added the 74736552 to the api field. I noticed after saving the policy though that this information was corrected by EPO which added NTDLL as the module and KiUserExceptionDispatcher was added to the API field removing the numerical value I'd added.

                           

                          It appears there is some kind of error checking when entering BOP exceptions and the logs can be interpreted as NT AUTHORITY\LOCAL SERVICE process:module.api (please correct me though if this is wrong?) I don't know how secure this is but it must be better than excluding the entire process.

                           

                          Message was edited by: bccol on 20/06/14 14:03:19 IST
                          1 2 3 Previous Next