This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

ThreatID 33542 and Facebook

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ThreatID 33542 and Facebook

TomS
L1 Bithead

‎05-11-2012 10:35 AM

I'm seeing a lot of alerts in the last couple days for threatID 33542 when users are visiting facebook via http://www.facebook.com/

Could this be a false positive?  Anyone else seeing a jump in this threat?

Tnx, Tom

0 Likes Likes
8 REPLIES 8

Braden
L0 Member

‎05-11-2012 10:38 AM

We are seeing the same thing over here. Every source IP seems to be Akami CDN servers that serve Facebook from our ISP, so I'm really thinking this is a false positive.

app: facebook-base
proto: tcp
threatid: Mozilla Firefox GeckoActiveXObject Method Denial of Service Vulnerability(33542)

0 Likes Likes

mikand
L6 Presenter
In response to Braden

‎05-11-2012 12:00 PM

Some more info:

http://wwapps.paloaltonetworks.com/ThreatVault/

http://wwapps.paloaltonetworks.com/ThreatVault/Home.aspx/ThreatDetail/33542

Attack Name: Mozilla Firefox GeckoActiveXObject Method Denial of Service Vulnerability

Description: Mozilla Firefox is prone to a denial of service vulnerability while parsing certain crafted HTTP responses.The vulnerability is due to the lack of proper checks on GeckoActiveXObject Method in the HTTP response, leading to an exploitable denial of service vulnerability. An attacker could exploit the vulnerability by sending a crafted HTTP response. A successful attack could lead to denial of service with the privileges of the current logged-in user.

Threat ID: 36871

References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803

Severity: high

Category: dos

0 Likes Likes

CRHC
L4 Transporter

‎05-11-2012 12:09 PM

Also seeing the same high count of events.  Not all events are stemming from workstations that have Firefox installed.

-mike

0 Likes Likes

sspringer
L4 Transporter

‎05-11-2012 12:12 PM

There have been some changes made to Facebook code that is causing some false positives to be triggered for this ThreatID. We are working to address this issue in next week's update.

-Stefan

0 Likes Likes

bmaslakovic
Not applicable
In response to sspringer

‎05-14-2012 07:54 AM

Is there an ETA on the patch / update?

0 Likes Likes

KP
L3 Networker
In response to bmaslakovic

‎05-14-2012 09:03 AM

Would think/hope that it would be fixed in the weekly content (wednesday AM CET, tuesday PM USA) Update. Cheers.

0 Likes Likes

komure
Not applicable
In response to KP

‎05-15-2012 09:54 PM

Hello All,

According to the result of our lab test,

it may be fixed with the latest content ver.308-1390.

- there is not this fix on release note though...

Tomoyuki Komure

0 Likes Likes

bmaslakovic
Not applicable
In response to komure

‎05-16-2012 07:00 AM

Yes, we also have updated the content to 308-1390, and the alerts have stopped. Thanks!

0 Likes Likes
  • 3722 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks