in

eEye Digital Security

The endpoint to vulnerability starts here.

 
eEye Digital Security » Blink Forums » Archives » Blink 4.0 Feedback » Windows media player

Windows media player

Last post 12-01-2008 9:20 AM by Blue1978. 8 replies.
Page 1 of 1 (9 items)
Sort Posts: Previous Next

  • 03-30-2008 8:34 AM

    Windows media player

    Reply Contact
    Application protection : Application alert   2008-03-30 11:21:49 
     Event ID: BLINK-APP-100
     Severity: High
     Description: Blink detected a suspicious system call.
     Reason: KERNEL32.DLL!CreateThread
     Action: Terminate Process
     Program: C:\Program Files (x86)\Windows Media Player\wmplayer.exe
     Alert: Yes
     Note: Blink detected an abnormal behavior in one of the monitored applications. It is very likely that you are witnessing an attempt to exploit a known or unknown buffer overflow vulnerability in this application. The best course of action is to update this application to the latest version available from its vendor. Also, please report this issue to eEye to be investigated further. If you are sure that this is not an attack, you can disable the Application Protection layer for this application by editing the apiex.ini file in the Config folder under the Blink installation directory.

    To add an exclusion for this application, open the file in notepad or your favorite text editor and add a line in this format: PROCESS_NAME;;Kevlar;0
    Replace the PROCESS_NAME entry above with the .exe name reported above in this event. For example, to exclude notepad.exe create an entry like this: notepad.exe;;Kevlar;0

    Your are asking to report this but your aren't saying where.

     

  • 03-30-2008 12:14 PM In reply to

    Re: Windows media player

    Reply Contact
         That alert is because of Blink's Internal Application Protection Engine, that eEye named "Kevlar".  There was something running via Window's Media Player that Blink did not like and it stopped it just to be safe about it.  

         How often does that occur?  Do you remember when you got that alert and what you may have been doing at that particular time?  Did it occur when you played a certain file with the Media Player, or did that happen just out of nowhere? 

         Me personally I would NOT exclude Windows Media Player from Blink's Application Protection engine.  I would try to round it down to what is causing that alert in particular.  Reason being Window's Media Player is a big vector for a lot of media exploits that attempt to invoke buffer overflows, etc, and simply excluding it because you have an annoying alert for a few instances here and there is risky in my opinion.  If one day you do happen to stream a malicious online video or download and run a malicious mp3, media file etc Blink will not stop it at the Application level at that point if you add it to the exclusion file that is noted above (apiex.ini).

    See if this post helps you make sense of that alert and helps you resolve it:

    http://forums.eeye.com/forums/p/54/140.aspx#140 

     

  • 03-31-2008 7:21 AM In reply to

    Re: Windows media player

    Reply Contact

    My computer :

    Windows vista Ultimate 64bits.

    I'm using it as a Media server for my PS3.

    I'm getting this error everytime i'm using Windows Media Player. Once this appended i can't acces my library anymore, i can't listen to my music or videos. I tried to restart WMP, but 10 secondes later same error.

  • 03-31-2008 6:17 PM In reply to

    Re: Windows media player

    Reply Contact

    Interesting, you might have to exclude it then if you can't do anything until eEye is able to look at it.  Let me try playing something in my Vista Ultimate VM and see if it does it to me too.  I have not tried using Windows Media Player in it yet.  It might not do it for me though since I am using the 32bit version of Ultimate and do not have all of those extra items you pointed out.

  • 03-31-2008 6:31 PM In reply to

    Re: Windows media player

    Reply Contact

    Well I can't reproduce it on the 32bit version.  Hopefully eEye can take a look at this. 

  • 04-02-2008 2:49 PM In reply to

    Re: Windows media player

    Reply Contact

    Can you please point us to an online file that causes this to happen when played in WMP?

    Or is it happening simply by opening WMP?

     Also, which codecs have you installed in WMP?

    Thanks!

    Regards
    Laurentiu Nicula

  • 04-03-2008 7:11 PM In reply to

    Re: Windows media player

    Reply Contact

    It's appenning mp3 files on my own computer... As soon as i acces my library and try to play a song. those mp3 are encoded with WMP..

  • 04-14-2008 7:07 PM In reply to

    Re: Windows media player

    Reply Contact

    That error occur on both of my computers.

  • 12-01-2008 9:20 AM In reply to

    Re: Windows media player

    Reply Contact

    Is this still an issue with the latest version of Blink?
Page 1 of 1 (9 items)
© 1995 - 2009 eEye Incorporated