Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1948
Views
0
Helpful
11
Replies

Trigger for Sig 33439 - IE Memory Corruption Vulnerability

Jonathan Grant
Level 1
Level 1

‎09-14-2011 01:08 PM - edited ‎03-10-2019 05:28 AM

Hello all!  Sig 33439 was modified in S592 and I'm seeing a lot more alerts from this signature since we pushed S592.  Does anyone know what changed and what the trigger is that causes the signature to fire?  I have capture files and have not been able to identify anything malicious, nor what is causing it to fire.  If anyone can help me understand what the trigger is, I'm hoping I'll be able to identify what in the packets are causing the possible false-positives.  Thank you.

Jonathan

Labels:
0 Helpful
11 Replies 11

mark.barrett
Level 1
Level 1

‎09-14-2011 03:29 PM

I've noticed this as well. As long as all machines running IE have the necessary patches, it shouldn't be a real problem but would be nice to know what's causing all the noise since S592 came out.

0 Helpful

mzeiser
Cisco Employee
Cisco Employee
In response to mark.barrett

‎09-15-2011 02:41 AM

Hi

We're working on this signature already and will update it shortly.

Martin

IPS Signature Team

0 Helpful

Jonathan Grant
Level 1
Level 1
In response to mzeiser

‎09-15-2011 06:17 AM

Martin,

Just to confirm, are you saying the current signature is misconfigured and it will be corrected in a future release?  Thank you.

Jonathan

0 Helpful

Hugo Caye
Level 1
Level 1
In response to Jonathan Grant

‎09-16-2011 05:58 AM

Hi there,

We have the same issue here with several customers during the last two weeks.

We waited for signatures updates if it was fixed but no luck.

We disabled the signature in some customers.

Any suggestion?

Thanks,

Hugo

0 Helpful

Jonathan Grant
Level 1
Level 1
In response to Hugo Caye

‎09-16-2011 06:22 AM

I'll open a service request with TAC and to see if I can get any clarification or more information.  I'll let y'all know what I find out.

Jonathan

0 Helpful

Hugo Caye
Level 1
Level 1
In response to Jonathan Grant

‎09-16-2011 06:28 AM

OK, thanks.

0 Helpful

Hugo Caye
Level 1
Level 1
In response to Hugo Caye

‎09-17-2011 05:43 AM

Jonathan,

Any input from TAC?

Tks.

0 Helpful

Jonathan Grant
Level 1
Level 1
In response to Hugo Caye

‎09-19-2011 06:06 AM

Hugo,

I opened an SR Friday morning, I received confirmation, but have not heard anything back since.  Cisco isn't being very responsive with this query at all.

Jonathan

0 Helpful

Hugo Caye
Level 1
Level 1
In response to Jonathan Grant

‎09-19-2011 06:15 PM

Jonathan,

Thanks a lot for your answer.

We’re evaluating to disable this signature.

Regards,

Hugo

0 Helpful

Daniel Barr
Level 1
Level 1

‎09-20-2011 06:45 AM

We've had the same uptick in alerts on this signature, and now it's affecting a website that one of our users needs to access. Our systems are patched so I will likely just disable it for now, but I'll definitely watch this thread to see if Cisco updates with any information about a potential re-release of this sig.

0 Helpful

Daniel Barr
Level 1
Level 1
In response to Daniel Barr

‎09-22-2011 02:56 PM

Signature S597 (just released) has retired this signature. I ended up disabling it on our systems anyway.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card