cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1401
Views
0
Helpful
11
Replies
Highlighted
Beginner

Trigger for Sig 33439 - IE Memory Corruption Vulnerability

Hello all!  Sig 33439 was modified in S592 and I'm seeing a lot more alerts from this signature since we pushed S592.  Does anyone know what changed and what the trigger is that causes the signature to fire?  I have capture files and have not been able to identify anything malicious, nor what is causing it to fire.  If anyone can help me understand what the trigger is, I'm hoping I'll be able to identify what in the packets are causing the possible false-positives.  Thank you.

Jonathan

11 REPLIES 11
Highlighted
Beginner

I've noticed this as well. As long as all machines running IE have the necessary patches, it shouldn't be a real problem but would be nice to know what's causing all the noise since S592 came out.

Highlighted

Hi

We're working on this signature already and will update it shortly.

Martin

IPS Signature Team

Highlighted

Martin,

Just to confirm, are you saying the current signature is misconfigured and it will be corrected in a future release?  Thank you.

Jonathan

Highlighted

Hi there,

We have the same issue here with several customers during the last two weeks.

We waited for signatures updates if it was fixed but no luck.

We disabled the signature in some customers.

Any suggestion?

Thanks,

Hugo

Highlighted

I'll open a service request with TAC and to see if I can get any clarification or more information.  I'll let y'all know what I find out.

Jonathan

Highlighted

OK, thanks.

Highlighted

Jonathan,

Any input from TAC?

Tks.

Highlighted

Hugo,

I opened an SR Friday morning, I received confirmation, but have not heard anything back since.  Cisco isn't being very responsive with this query at all.

Jonathan

Highlighted

Jonathan,

Thanks a lot for your answer.

We’re evaluating to disable this signature.

Regards,

Hugo

Highlighted
Beginner

We've had the same uptick in alerts on this signature, and now it's affecting a website that one of our users needs to access. Our systems are patched so I will likely just disable it for now, but I'll definitely watch this thread to see if Cisco updates with any information about a potential re-release of this sig.

Highlighted

Signature S597 (just released) has retired this signature. I ended up disabling it on our systems anyway.

Content for Community-Ad