https://community.cisco.com/t5/network-security/csa-bufferoverflow-exposed/m-p/728592#M86993 <P>I am looking into the bufferoverflow events in CSA and need your assistance in this one.</P><P></P><P>Here is the event:</P><P>The application 'C:\Program Files\Internet Explorer\iexplore.exe' (***) tried to call the function VirtualProtectEx("&lt;self&gt;") from a buffer (the return address was 0x7c108ec9). The code at this address is 'ff7510ff 750cff75 086affe8 75ffffff 5dc21000 90909090 90e9733c 9093807c' </P><P></P><P>Is this action is very suspicious since the VirtualProtectEx function changes the access protection on a region of committed pages in the virtual address space of a specified process.?</P><P></P><P>Is it possible to figure out what does the code 'ff7510ff 750cff75 086affe8 75ffffff 5dc21000 90909090 90e9733c 9093807c' means? </P><P></P><P>Many thanks</P> Sun, 10 Mar 2019 10:33:49 GMT fkhan6_wb 2019-03-10T10:33:49Z https://community.cisco.com/t5/network-security/csa-bufferoverflow-exposed/m-p/728592#M86993 <P>I am looking into the bufferoverflow events in CSA and need your assistance in this one.</P><P></P><P>Here is the event:</P><P>The application 'C:\Program Files\Internet Explorer\iexplore.exe' (***) tried to call the function VirtualProtectEx("&lt;self&gt;") from a buffer (the return address was 0x7c108ec9). The code at this address is 'ff7510ff 750cff75 086affe8 75ffffff 5dc21000 90909090 90e9733c 9093807c' </P><P></P><P>Is this action is very suspicious since the VirtualProtectEx function changes the access protection on a region of committed pages in the virtual address space of a specified process.?</P><P></P><P>Is it possible to figure out what does the code 'ff7510ff 750cff75 086affe8 75ffffff 5dc21000 90909090 90e9733c 9093807c' means? </P><P></P><P>Many thanks</P> Sun, 10 Mar 2019 10:33:49 GMT https://community.cisco.com/t5/network-security/csa-bufferoverflow-exposed/m-p/728592#M86993 fkhan6_wb 2019-03-10T10:33:49Z https://community.cisco.com/t5/network-security/csa-bufferoverflow-exposed/m-p/728593#M86998 <HTML><HEAD></HEAD><BODY><P>I have a machine that got the exact same message (including the code address) and it was the same day they installed a Tomcat Web server and Spyware Doctor.</P><P></P><P>I believe Spyware Doctor was the culprit in my case.</P><P></P><P>Tom S</P></BODY></HTML> Thu, 12 Apr 2007 22:24:52 GMT https://community.cisco.com/t5/network-security/csa-bufferoverflow-exposed/m-p/728593#M86998 tsteger1 2007-04-12T22:24:52Z