False Positive with "Microsoft MSXML Memory Corruption Vulnerability(35646)"
15592
Created On 10/12/22 07:37 AM - Last Modified 02/07/25 22:22 PM
Symptom
A vulnerability signature "Microsoft MSXML Memory Corruption Vulnerability(35646)" is triggered when accessing a legitimate web site.
Cause
Here's the description of the signature.
https://threatvault.paloaltonetworks.com/?query=35646&type=
"Microsoft XML Core Services is prone to a memory corruption vulnerability while parsing certain crafted XML files. The vulnerability is due to the way XML core services handles XMLS, leading to memory corruption. An attacker could exploit the vulnerability by sending a crafted HTML document. A successful attack could lead to remote code execution with the privileges of the current logged-in user."
The threat log usually shows a JavaScript filename.
Most Likely, the web site returns a JavaScript which uses ActiveXObject, thus the signature is triggered on the firewall.
ActiveX is a remotely exploitable attack surface exposed by the browser. By their nature, an ActiveX component is performing sensitive functionality not normally exposed to JavaScript, and this functionality could be exploited. ActiveX components can be written in C/C++ which means ActiveX components can suffer from buffer overflow or other memory corruption vulnerabilities.
Palo Alto Networks has reviewed some reported instances for feasibility of updating the signature and finally decided not to make any changes to the signature due to the fact that using 'ActiveXObject' in the Javascript is considered insecure.
Resolution
If the web site is confirmed to be safe and the ActiveX needs to be allowed for the business purpose, Palo Alto Networks recommends adding an exception for this signature.
Additional Information
How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC