This bit from the CVE entry makes for interesting reading: 'Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." '
There is demo page here: http://lcamtuf.coredump.cx/iedie.html Some code from the page looks like this: <html><body><img src=http://lcamtuf.coredump.cx/photo/current/m2A.jpg><foo onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork onclick=bork......... It is possible that ISS is counting "large number[s] of script action handlers" in web pages (those "onclick" actions above) and false positives come from either 1) alerting on too few actions*, or 2) alerting on the right number of actions, but they are in non-malicious web pages. *There doesn't seem to be agreeement on how many is too many. In this case, there is probably no way to distinguish the malicious page from the non-malicious automagically. I see a lot of these events from web-based mail sites (like Yahoo), online shopping and travel sites, and other feature-rich sites. The key here is "feature-rich site"; lots of buttons and actions. With this and other similar sigs, it takes an alert (pun intended) analyst to 1) weed out the innocuous sites, 2) correllate any malicious activity from the target after the event occurred (assuming it does something to attract the attention of the IDS), and 3) confirm that the target host is patched to current. Interestingly, we also see alerts for this sig from traffic between our inbound mail gateway and the spam-scrubbers. I haven't seen the spam itself, but I'm guessing maybe it was HTML-based(??). And, yes, that would mean that ISS is analyzing SMTP traffic with this signature. Jason --- "Soldatov, Sergey V." <[EMAIL PROTECTED]> wrote: > I see HTML_Mshtml_Overflow event generated from: > 62.140.23.27 > 81.177.28.61 > > Why? Is that false posititves? How to configure HTML_Mshtml_Overflow > signature to mitigate such FPs? How does HTML_Mshtml_Overflow work? > What > does it search for? > > Thanks. > > --- > Best regards, Sergey V. Soldatov. > Information security department. > tel/fax +7 495 745 89 50 > tel +7 495 777 77 07 (1613) > > > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
