https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8106#M5982 <HTML><HEAD></HEAD><BODY><P>Some more info:</P><P></P><P><A class="jive-link-external-small" href="http://wwapps.paloaltonetworks.com/ThreatVault/">http://wwapps.paloaltonetworks.com/ThreatVault/</A></P><P></P><P><A class="jive-link-external-small" href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33542">http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33542</A></P><P></P><P>Attack Name: Mozilla Firefox GeckoActiveXObject Method Denial of Service Vulnerability</P><P></P><P>Description: Mozilla Firefox is prone to a denial of service vulnerability while parsing certain crafted HTTP responses.The vulnerability is due to the lack of proper checks on GeckoActiveXObject Method in the HTTP response, leading to an exploitable denial of service vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP response. A successful attack could lead to denial of service with the privileges of the current logged-in user.</P><P></P><P>Threat ID: 36871</P><P></P><P><SPAN>References: </SPAN><A class="jive-link-external-small" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803</A></P><P></P><P>Severity: high</P><P></P><P>Category: dos</P></BODY></HTML> Fri, 11 May 2012 19:00:55 GMT mikand 2012-05-11T19:00:55Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8104#M5980 <HTML><HEAD></HEAD><BODY><P>I'm seeing a lot of alerts in the last couple days for threatID 33542 when users are visiting facebook via <A href="http://www.facebook.com/">http://www.facebook.com/</A></P><P></P><P>Could this be a false positive?&nbsp; Anyone else seeing a jump in this threat?</P><P></P><P>Tnx, Tom</P></BODY></HTML> Fri, 11 May 2012 17:35:09 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8104#M5980 TomS 2012-05-11T17:35:09Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8105#M5981 <HTML><HEAD></HEAD><BODY><P class="MsoNormal">We are seeing the same thing over here. Every source IP seems to be Akami CDN servers that serve Facebook from our ISP, so I'm really thinking this is a false positive.</P><P class="MsoNormal"></P><P class="MsoNormal">app: facebook-base<BR />proto: tcp<BR />threatid: Mozilla Firefox GeckoActiveXObject Method Denial of Service Vulnerability(33542)</P></BODY></HTML> Fri, 11 May 2012 17:38:04 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8105#M5981 Braden 2012-05-11T17:38:04Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8106#M5982 <HTML><HEAD></HEAD><BODY><P>Some more info:</P><P></P><P><A class="jive-link-external-small" href="http://wwapps.paloaltonetworks.com/ThreatVault/">http://wwapps.paloaltonetworks.com/ThreatVault/</A></P><P></P><P><A class="jive-link-external-small" href="http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33542">http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33542</A></P><P></P><P>Attack Name: Mozilla Firefox GeckoActiveXObject Method Denial of Service Vulnerability</P><P></P><P>Description: Mozilla Firefox is prone to a denial of service vulnerability while parsing certain crafted HTTP responses.The vulnerability is due to the lack of proper checks on GeckoActiveXObject Method in the HTTP response, leading to an exploitable denial of service vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP response. A successful attack could lead to denial of service with the privileges of the current logged-in user.</P><P></P><P>Threat ID: 36871</P><P></P><P><SPAN>References: </SPAN><A class="jive-link-external-small" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803</A></P><P></P><P>Severity: high</P><P></P><P>Category: dos</P></BODY></HTML> Fri, 11 May 2012 19:00:55 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8106#M5982 mikand 2012-05-11T19:00:55Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8107#M5983 <HTML><HEAD></HEAD><BODY><P>Also seeing the same high count of events.&nbsp; Not all events are stemming from workstations that have Firefox installed.</P><P></P><P>-mike</P></BODY></HTML> Fri, 11 May 2012 19:09:04 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8107#M5983 MGoodnow 2012-05-11T19:09:04Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8108#M5984 <HTML><HEAD></HEAD><BODY><P>There have been some changes made to Facebook code that is causing some false positives to be triggered for this ThreatID. We are working to address this issue in next week's update.</P><P></P><P>-Stefan</P></BODY></HTML> Fri, 11 May 2012 19:12:45 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8108#M5984 sspringer 2012-05-11T19:12:45Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8109#M5985 <HTML><HEAD></HEAD><BODY><P>Is there an ETA on the patch / update?</P></BODY></HTML> Mon, 14 May 2012 14:54:49 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8109#M5985 bmaslakovic 2012-05-14T14:54:49Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8110#M5986 <HTML><HEAD></HEAD><BODY><P>Would think/hope that it would be fixed in the weekly content (wednesday AM CET, tuesday PM USA) Update. Cheers.</P></BODY></HTML> Mon, 14 May 2012 16:03:19 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8110#M5986 KP 2012-05-14T16:03:19Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8111#M5987 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>According to the result of our lab test,</P><P>it may be fixed with the latest content ver.308-1390.</P><P>- there is not this fix on release note though...</P><P></P><P>Tomoyuki Komure</P></BODY></HTML> Wed, 16 May 2012 04:54:22 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8111#M5987 komure 2012-05-16T04:54:22Z https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8112#M5988 <HTML><HEAD></HEAD><BODY><P>Yes, we also have updated the content to 308-1390, and the alerts have stopped. Thanks!</P></BODY></HTML> Wed, 16 May 2012 14:00:41 GMT https://live.paloaltonetworks.com/t5/general-topics/threatid-33542-and-facebook/m-p/8112#M5988 bmaslakovic 2012-05-16T14:00:41Z