Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft DirectShow MJPEG Decompression Remote Code Execution Vulnerability (MS09-011)

Subscribe

Check Point Reference: CPAI-2009-080
Date Published:
Preemptive Since:
Severity:
Last Updated:
Source: Microsoft Security Bulletin MS09-011
Industry Reference(s): CVE-2009-0084
Protection Provided by: Security Gateway
  • R70
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
DirectX 8.1:
Microsoft Windows 2000 SP4

DirectX 9.0:
Microsoft Windows 2000 SP4
Windows XP SP2
Windows XP SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1
Windows Server 2003 SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Server 2003 with SP1 (Itanium)
Windows Server 2003 with SP2 (Itanium)

Vulnerability Description
A remote code execution vulnerability has been identified in the Microsoft DirectShow. Microsoft DirectShow is used for streaming media on Microsoft Windows operating systems. The DirectShow technology performs client-side audio and video sourcing, manipulation and rendering. A remote attacker could exploit this issue via a malformed MJPEG file. An MJPEG file is a media file where a number of JPEG images are connected together to create a video stream. The MJPEG video stream can then be inserted into an AVI or other common video formatted file. Successful exploitation of this vulnerability may allow execution of arbitrary code on a target system.
Update/Patch Available
Apply patches:
Microsoft Security Bulletin MS09-011
Vulnerability Details
The vulnerability is due to an error in the Microsoft DirectShow component that fails to properly handle specially crafted compressed files. An attacker can exploit this flaw to execute arbitrary code on a vulnerable system via a specially crafted MJPEG file. Successful exploitation of this issue may allow the attacker to take complete control of an affected system.

Protection Overview
This protection will detect and block the transferring of AVI files that contain a malformed JPEG over HTTP.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Application Intelligence > Content Protection.
2. In the right pane, double-click the Microsoft DirectShow MJPEG Decompression Remote Code Execution (MS09-011) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Microsoft DirectShow MJPEG decompression remote code execution (MS09-011)

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?

1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the ANI/RIFF Parser protection group.
3. Click RIFF Parsing: DirectShow MJPEG frame overflow (CVE-2009-0084) - IPS-1 NGX R65 only.
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?

Upon attack, the following entries will be logged:

Alert Name: Badfiles RIFF Parsing
Description: RIFF Parsing: DirectShow MJPEG frame overflow (CVE-2009-0084)