Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Windows MediaPlayer

Attack ID: CPAI-2003-23
Publish Date:
Last Update:
Category: Windows MediaPlayer
Vulnerable Systems: Microsoft Windows 98/98SE/NT/2000/XP with Windows MediaPlayer installed.
Source: SmartDefense Team internal research
CAN-2003-0228
Description: Windows MediaPlayer is a popular media player, which allow users to listen to live streaming music and video on-line. Additional features include playing CDs, MP3 files and various video formats.
Severity:
  Windows MediaPlayer poses threats of buffer overflow and remote arbitrary code execution, as well as consumption of valuable network resources.
Details: Since Windows MediaPlayer requests are made with a valid HTTP request only after the update of SmartDefense's signature file, a "HTTP header filter" log entry will appear in the log file.
Attack Detection: Using the SmartView Tracker one can identify the attempts of MediaPlayer to connect to a streaming media server and retrieve information. SmartDefense will generate a log entry stating a "HTTP header filter" has blocked the attempt, and the attack information field would state "Attack Info: HTTP Header filter matched: Windows MediaPlayer"
Solution:

FireWall-1 NG with Application Intelligence solution

FireWall-1 NG with Application Intelligence users should update SmartDefense to the latest version of the signature file by pressing the "Update Now" button in the "General" tab in the SmartDefense configuration menu. This option is available for customers with valid subscription license.

In order to prevent Windows MediaPlayer from accessing the Internet via HTTP, users deploying FireWall-1 NG with Application Intelligence should configure the following:

  1. Open the SmartDefense tab in SmartDashboard and select "Application Intelligence" -> "Web" -> "HTTP Protocol Inspection".
  2. Specify if the HTTP protocol inspection is to be performed on all HTTP connections or only on connections that have a resource defined.
    If you choose the "Configurations apply only to connections related to resources used in the Rule Base" then a HTTP resource should be configured. If you choose "Configurations apply to all connections", then the HTTP inspection will be performed on any rule which allows HTTP.
  3. Expand the "HTTP Protocol Inspection" tree and mark "Peer to Peer". From the list of header patterns, mark 'Windows MediaPlayer".
  4. In the case you have selected in step 2 not to relate the HTTP inspection with a resource rule, the rule should look the following:
    • SRC=<internal network>, DST=any, Service=HTTP, Accept, Log.
  5. If you have selected in step 2 to use a resource for HTTP protocol inspection, configure a resource as follows:
    1. Select the menu items Manage > Resources, then "New" and choose URI.
    2. Type "Header-Scanning" in the "Name" window
    3. In the "Match" tab, mark "http" under "Schemes".
    4. Remove the "*" sign from the "Other" window and press OK.

    Your rule should look like the following:

    • SRC=<Internal Network>, DST=Any, Service=HTTP with "Header-Scanning" resource, Accept, Log.
  6. Install the security policy on all modules

FireWall-1 Feature Pack 3 Solution
Industry Reference:
Additional Information: Check Point P2P FAQ provide additional information for blocking and controlling worms and applications that have similar characteristics and behavior patterns. Customers are advised to review the mentioned publications for additional information regarding precautions and measures that can be taken against the application discussed in this advisory and future threats that may appear.