Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
4
Replies

Sig 5498 - Media Player IE Zone Bypass

andy.deakin
Level 1
Level 1

‎01-31-2007 03:51 AM - edited ‎03-10-2019 03:26 AM

This is a brand new signature, that I have not seen before, with little info available, other than a few lines in Cisco MySDN.

It states that;

"This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.

IOS not supported.

There are no known benign triggers".

I have tried researching the normal channels, google, MySDN and this forum.

Has anyone got any additional info about the cause and efect of this alert?

Labels:
0 Helpful
4 Replies 4

andy.deakin
Level 1
Level 1

‎01-31-2007 03:52 AM

Just wanted to add that I have found some security websites, which recommend uninstalling Windows media player, if not needed?

0 Helpful

andy.deakin
Level 1
Level 1
In response to andy.deakin

‎01-31-2007 04:36 AM

I have been discussing this with my colleagues and I am going to raise a TAC case. It seems to be the general consensus that any signature that fires with only a source IP (1-way)is a problem. I used to think that this was how it was, and that some signatures, by default don't display a destination IP. I am beginning to think that this might be a bug of sorts??

How can we effectively report to our clients, network activity without a destination?

Any feedback would be welcome.

0 Helpful

nicksmi
Cisco Employee
Cisco Employee
In response to andy.deakin

‎02-01-2007 03:14 PM

Signature 5498-0 is a meta signature with two sub-components, signatures 5500-0 and 5501-0. Their descriptions follow.

5500

This signature fires upon detecting an Internet Explorer Zone Bypass exploit, using Media Player to silently execute a Windows Media Advanced Systems Format (ASF) file in the Local Zone of the vulnerable system.

5501

This signature fires upon detecting ActiveX ADODB stream in return HTTP traffic.

This signature is a component of meta-signature 5498-0 and has no event-actions of its own defined.

The vulnerability itself is addressed by MS03-040.

What the signatures look for as a whole is return web traffic indicating the execution of an .asp file and an ActiveX object of type ADODB Stream.

You can read more about this vulnerability at the following links:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

http://www.securityfocus.com/bid/8263/info

As for the signatures keying on source address only, we are aware that this is an issue with older meta signatures and are working to update them.

0 Helpful

wsulym
Cisco Employee
Cisco Employee
In response to andy.deakin

‎02-02-2007 12:12 PM

Just as a little more detail... 5498-0, the ip address presented in the alert, is the source web server, serving what is possibly a malicious file. Now I (and this is a personal opinion) wouldn't care about the victim, since the victim is the client connecting to the web server. Your opinion on that may be different, and it appears to be, since you do want that information. That's an easy change, edit the signature and change the meta-key to AxBx (attacker & victim addresses) - now your alert will contain the attacker (which would be the server) and the victim (which is the client making that connection).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card