Check Point Advisories

Microsoft Windows Media Player DVR-MS Files Code Execution (MS11-015; CVE-2011-0042)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-055
Date Published:	8 Mar 2011
Severity:	Critical
Last Updated:	Tuesday 08 March, 2011
Source:
Industry Reference:	CVE-2011-0042
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	DVR-MS (Microsoft Digital Video Recording) is a proprietary video and audio file container format, developed by Microsoft used for storing TV content recorded by Windows XP Media Center Edition, Windows Vista and Windows 7. A remote code execution vulnerability has been reported in the way Windows Media Player and Windows Media Center handle DVR-MS files. The vulnerability is caused by Windows Media Player and Windows Media Center that fail to properly parse specially crafted DVR-MS media files. A remote attacker could exploit this issue by convincing a user to open a specially crafted ASF file or receive specially crafted streaming content. Successful exploitation of this vulnerability will allow the attacker to execute arbitrary code on an affected system remotely.

Protection Overview

This protection will detect and block the transferring of malformed ASF files over HTTP.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft Windows Media Player DVR-MS Files Code Execution (MS11-015) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Content Protection Violation.
Attack Information: Microsoft Windows Media Player DVR-MS Files Code Execution (MS11-015)