RVS4000 IPS identifies flickr images, etc., as Microsoft Color Management Module Buffer Overflow exploit

Unanswered Question
Aug 8th, 2010

If I enable the IPS function in my RVS4000, some images from various popular websites like Flickr and blogspot will not load.  They are detected by IPS as "EXPLOIT Microsoft Color Management Module Buffer Overflow"

You can test it yourself with this image hosted at blogspot:

http://4.bp.blogspot.com/_a7jkcMVp5Vg/TF3gjYJrHBI/AAAAAAAAMqM/ScJAA8y9nZk/s400/sorry.jpg

With IPS enabled, that image will not load.  With IPS disabled, it will.

I am using firmware 1.3.2.0 and IPS signature version 1.42.

I believe IPS is incorrectly identifying these images as containing the color management buffer overflow exploit.

Any chance this could be corrected in the next IPS signature release?

As an aside, I would prefer to open a case with support about this, but I really can't figure out how to do so.  I purchased the RVS4000 when it was still made by linksys.  I would assume I should still be able to get support on it now that it's own by Cisco, but trying to open a case on the web for this seems impossible.  Am I missing something?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dstegall72 Sat, 08/14/2010 - 08:25

Anyone else experiencing this?  Given that Microsoft rates this exploit as "critical", I'd rather not disable IPS, but it's frustrating that so many images seem to be blocked by having it enabled.

DominikAu Wed, 08/18/2010 - 14:30

i've experienced this too, on flickr. unfortunately i didn't save the links to the images that rose that IPS alert.

but i can see your image with ips activated.

WRVS4400Nv2 @ V2.0.0.8;

IPS signatures: 1.42

DominikAu Wed, 08/18/2010 - 14:45

i've just removed the proxy in my browser, so that it connects direct.

et voila: EXPLOIT Microsoft Color Management Module Buffer Overflow

but this rises the fear that IPS works just as expected when no (external) proxy is used.

that would be a serious problem, at least because it isn't mentioned in the online help/manual and because i'd leave my real ip at many places, which i wouldn't like.

i'd be happy to read a response from cisco to the Buffer Overflow (is it a false positive) and if IPS should work when a external proxy is used (via unencrypted connections, so the [w]rvs has a chance to read the communication.

Actions

This Discussion

Related Content