01-31-2007 03:51 AM - edited 03-10-2019 03:26 AM
This is a brand new signature, that I have not seen before, with little info available, other than a few lines in Cisco MySDN.
It states that;
"This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.
IOS not supported.
There are no known benign triggers".
I have tried researching the normal channels, google, MySDN and this forum.
Has anyone got any additional info about the cause and efect of this alert?
01-31-2007 03:52 AM
Just wanted to add that I have found some security websites, which recommend uninstalling Windows media player, if not needed?
01-31-2007 04:36 AM
I have been discussing this with my colleagues and I am going to raise a TAC case. It seems to be the general consensus that any signature that fires with only a source IP (1-way)is a problem. I used to think that this was how it was, and that some signatures, by default don't display a destination IP. I am beginning to think that this might be a bug of sorts??
How can we effectively report to our clients, network activity without a destination?
Any feedback would be welcome.
02-01-2007 03:14 PM
Signature 5498-0 is a meta signature with two sub-components, signatures 5500-0 and 5501-0. Their descriptions follow.
5500
This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.
5501
This signature fires upon detecting ActiveX ADODB stream in return HTTP traffic.
This signature is a component of meta-signature 5498-0 and has no event-actions of its own defined.
The vulnerability itself is addressed by MS03-040.
What the signatures look for as a whole is return web traffic indicating the execution of an .asp file and an ActiveX object of type ADODB Stream.
You can read more about this vulnerability at the following links:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp
http://www.securityfocus.com/bid/8263/info
As for the signatures keying on source address only, we are aware that this is an issue with older meta signatures and are working to update them.
02-02-2007 12:12 PM
Just as a little more detail... 5498-0, the ip address presented in the alert, is the source web server, serving what is possibly a malicious file. Now I (and this is a personal opinion) wouldn't care about the victim, since the victim is the client connecting to the web server. Your opinion on that may be different, and it appears to be, since you do want that information. That's an easy change, edit the signature and change the meta-key to AxBx (attacker & victim addresses) - now your alert will contain the attacker (which would be the server) and the victim (which is the client making that connection).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide