Loading...

Knowledge Center


Host Intrusion Prevention Signature 3776 triggers after applying Microsoft security update MS10-090
Technical Articles ID:  KB70810
Last Modified:  01/31/2011
Rated:


Environment

McAfee Host Intrusion Prevention 7.0 (Signature 3776)
 

Problem

Detections for Signature 3776 - Microsoft Internet Explorer Vector Markup Language Vulnerability (2).

This issue occurs after you apply the December 14th Microsoft security update MS10-090 (KB 2416400).

http://support.microsoft.com/kb/2416400

NOTE:
This signature has been enabled for the past three years to block VML related vulnerabilities (CVE-2006-4868 and CVE-2007-1749).

Cause

Prior to the application of MS10-090, a false negative issue could occur for Host IPS Signature 3776. The signature was not triggered in some narrow instances due to inconsistencies in the content framework with regards to the CLSID (COM class object for vgx.dl) instantiation by the operating system.

Solution

The MS10-090 security update patch, released by Microsoft on December 14, 2010, altered the instantiation path the COM class object component related to vgx.dll so the signature is now correctly triggered in these other instances.

Signature 3776 was originally created to block the use of ActiveX controls related to vgx.dll for older vulnerabilities as outlined in CVE-2006-4868 and CVE-2007-1749. These vulnerabilities were patched by earlier Microsoft security update patches MS06-055 released September 26, 2006 and MS07-050 released August 14, 2007. Customers may also refer to Microsoft article 961825 (http://support.microsoft.com/kb/961825) regarding information on these earlier security updates.

The recent MS10-090 security update includes updated coverage for these vulnerabilities.

If you have applied the above security patches, you may safely disable Signature 3776. If the above security updates were not applied and the signature was disabled, the exploitation of these vulnerabilities would still be prevented by the Host IPS Generic Buffer Overflow Protection feature.

Workaround

If you have not yet applied Microsoft Security Update MS10-090, Host Intrusion Prevention generic buffer overflow protection will protect you against this vulnerability.

Please refer to the McAfee Security Content Release Notes for Host IPS on McAfee Labs Threat Center:

http://www.mcafee.com/us/content-release-notes/index.aspx

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.
United States - English
© 2003-2013 McAfee, Inc.