Enhanced Protection Against Microsoft Windows Media Player Vulnerability (MS06-005)

Overview
Details
Protection

Check Point Reference:	CPAI-2006-016
Date Published:
Severity:
Last Updated:
Source:	Microsoft Security Bulletin MS06-005 eEye
Industry Reference(s):	CVE-2006-0006
Protection Provided by:	VPN-1 NGX R61 NGX R60 NG with Application Intelligence R55W NG with Application Intelligence R55 InterSpect NGX 2.0 and 1.x
Who is Vulnerable? Microsoft Windows Media Player 7.1 through 10 Windows NT 4.0 Windows 98 / ME Windows 2000 SP4 Windows XP SP1 / SP2 Windows 2003
Vulnerability Description A flaw was reported in Windows Media Player versions 7.1 through 10 because of the way that it handles bitmap files (.bmp). Windows Media Player is a feature of the Windows operating system for personal computers, used for playing audio and video. An attacker could exploit this vulnerability by embedding a specially crafted Windows Media Player image within another file, such as a Word document and convince a user to open this document. Successful exploitation will grant an attacker the ability to execute arbitrary code in the context of the user who executed the player. Click the Protection section for an enhanced solution from March 20 against this vulnerability.

Vulnerability Status
Update/Patch Available Microsoft has released a patch for this vulnerability. The patch is available at http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx.
Vulnerability Details The vulnerability is caused by an unchecked buffer in the bitmap (.bmp) image parsing function within Windows Media Player. An attacker could construct a specially crafted message and host it on a Web site or attach it to an email message.

Protection Overview
The protection blocks malformed BMP files that could potentially allow remote code execution. A Strict Enforcement option allows for a less permissive approach that will identify malicious BMP files and check them for the MS06-005 vulnerability, even when the file has not been entirely identified as a BMP file. This will block possible additional variations of this attack, but may result in a certain amount of false positives, depending on the traffic.

Note: Depending on the traffic mix, activating this protection may result in performance degradation.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update also includes the following protections:

Trojan Spy Goldun.de Protection (CPAI-2006-025)
ezDatabase Remote File Inclusion Protection (CPAI-2006-026)
TFTPD32 Request Error Message Format String Protection (CPAI-2006-027) - InterSpect NGX only
Cisco IOS CDP Status Page Code Injection Protection (CPAI-2006-028)
SHOUTcast Filename Request Format String Protection (CPAI-2006-029)
Oracle Report File Overwrite/Oracle Report Directory Traversal Protection (CPAI-2006-030)
Google Talk via Gmail Web Interface Protection (CPSA-2006-02)
IBM Tivoli Access Manager Directory Traversal Protection (CPAI-2006-031)
Protection Against NFS Vulnerabilities (CPAI-2006-032)
Protection against PmWiki multiple vulnerabilities.

VPN-1 NGX R61

How Can I Protect My Network?
1. Update your SmartDefense: Click the SmartDefense Services tab; In the left pane from the drop-down menu, click Doenload Updates and then click the Online Update button.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Malformed BMP file.

Click Perform Strict Enforcement for the stricter mode of the protection.

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Malformed BMP file

VPN-1 NGX R60 /VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?

1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Malformed BMP file.

Click Perform Strict Enforcement for the stricter mode of protection.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Malformed BMP file

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. Update your SmartDefense by clicking Update Now in the SmartDashboard General window.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Malformed BMP file.

Click Perform Strict Enforcement for the stricter mode of protection.
3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rule 99880.

InterSpect NGX

How Can I Protect My Network?
1. Update your SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > Content Protection > Malformed BMP file.
3. In the opposite screen, enable Block malicious BMP files. For a stricter mode of protection, enable Strict Enforcement.

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Malformed BMP file

InterSpect 2.0

How Do I Know if My Network is Under Attack?

SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Malformed BMP file

Legal Notice for SmartDefense Advisories