Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Windows Media Player Remote Code Execution Vulnerabilities (MS06-078)

Subscribe

Check Point Reference: CPAI-2007-004
Date Published:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS06-078
Industry Reference(s): CVE-2006-6134
CVE-2006-4702
Protection Provided by: VPN-1
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
VSX
  • NGX
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Microsoft Windows Media Format versions 7.1 through 9.5
Microsoft Windows Media Format version 9.5 (x64 Edition)
Microsoft Windows Media Player version 6.4
Vulnerability Description
Microsoft Windows Media Player is prone to multiple remote code execution vulnerabilities. The vulnerabilities are due to the way the application handles the processing of ASF and ASX files. ASF (Advanced Streaming Format) is a file format that stores audio and video information that is designed to run over networks. ASX (Advanced Stream Redirector) is a file format designed to store a list of Windows Media files to play during a multimedia presentation.
A remote attacker could exploit these vulnerabilities to cause denial of service and execute arbitrary code via a maliciously crafted Windows Media Player file.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS06-078
Vulnerability Details
These vulnerabilities are due to a buffer overflow error when processing malformed ASF and ASX files. An attacker can trigger these flaws by convincing a user to view a specially crafted HTML document containing a malicious ASF or ASX file. Successful exploitation could result in the crashing of the victim's application, once the malicious content is loaded allowing execution of arbitrary code.

Protection Overview
By enabling this protection, SmartDefense will detect and block the transferring of malformed ASF and ASX over HTTP. Depending on the traffic mix, activating this protection may result in performance degradation.

In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The Update released on January 9, 2007 includes the following protections:
 
Microsoft Internet Explorer Memory Corruption Vulnerability (MS06-072) - CPAI-2007-001
Microsoft Internet Explorer TIF Folder Vulnerability (MS06-072) - CPAI-2007-002
Microsoft Outlook Express Windows Address Book Vulnerability (MS06-076) - CPAI-2007-003
Microsoft Windows Media Player Code Execution Vulnerabilities (MS06-078) - CPAI-2007-004
Malformed IMAP Commands Vulnerabilities (SBP-2007-01)
Blocking Syslog-Related Vulnerabilities (SBP-2007-02)

VPN-1 NGX R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Application Intelligence > Content Protection.
2. Select the following:

Malformed ASF
Malformed ASX

3. In the configuration pane, under Settings > Mode, check Active.



4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information:
Malformed ASF file
Malformed ASX file

VPN-1 NGX R61, VPN-1 NGX R60, VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection.
2. Select the following:

Malformed ASF
Malformed ASX


3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information:
Malformed ASF file
Malformed ASX file

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection.
2. Select the following:

Malformed ASF
Malformed ASX

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules 99848 and 99846 for malformed ASF and ASX files accordingly.

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Content Protection.
2. Select the following:

Malformed ASF
Malformed ASX

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules 99848 and 99846 for malformed ASF and ASX files accordingly.

InterSpect NGX

How Can I Protect My Network?
1. In the lefthand menu, click Profiles > Default Protection > SmartDefense. The SmartDefense page opens.
2. In the SmartDefense tree, click Application Intelligence > Content Protection and enable the following protection:

Malformed ASF
Malformed ASX

3. Install security policy.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information:
Malformed ASF file
Malformed ASX file

InterSpect 2.0

How Can I Protect My Network?
1. Click Application Intelligence > Content Protection and enable the following protection:

Malformed ASF
Malformed ASX

2. Install security policy.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information:
Malformed ASF file
Malformed ASX file