08-08-2010 09:53 PM
If I enable the IPS function in my RVS4000, some images from various popular websites like Flickr and blogspot will not load. They are detected by IPS as "EXPLOIT Microsoft Color Management Module Buffer Overflow"
You can test it yourself with this image hosted at blogspot:
http://4.bp.blogspot.com/_a7jkcMVp5Vg/TF3gjYJrHBI/AAAAAAAAMqM/ScJAA8y9nZk/s400/sorry.jpg
With IPS enabled, that image will not load. With IPS disabled, it will.
I am using firmware 1.3.2.0 and IPS signature version 1.42.
I believe IPS is incorrectly identifying these images as containing the color management buffer overflow exploit.
Any chance this could be corrected in the next IPS signature release?
As an aside, I would prefer to open a case with support about this, but I really can't figure out how to do so. I purchased the RVS4000 when it was still made by linksys. I would assume I should still be able to get support on it now that it's own by Cisco, but trying to open a case on the web for this seems impossible. Am I missing something?
08-14-2010 08:25 AM
Anyone else experiencing this? Given that Microsoft rates this exploit as "critical", I'd rather not disable IPS, but it's frustrating that so many images seem to be blocked by having it enabled.
08-18-2010 02:30 PM
i've experienced this too, on flickr. unfortunately i didn't save the links to the images that rose that IPS alert.
but i can see your image with ips activated.
WRVS4400Nv2 @ V2.0.0.8;
IPS signatures: 1.42
08-18-2010 02:45 PM
i've just removed the proxy in my browser, so that it connects direct.
et voila: EXPLOIT Microsoft Color Management Module Buffer Overflow
but this rises the fear that IPS works just as expected when no (external) proxy is used.
that would be a serious problem, at least because it isn't mentioned in the online help/manual and because i'd leave my real ip at many places, which i wouldn't like.
i'd be happy to read a response from cisco to the Buffer Overflow (is it a false positive) and if IPS should work when a external proxy is used (via unencrypted connections, so the [w]rvs has a chance to read the communication.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: