Author Topic: Shellcode injection warnings for Windows Media Player  (Read 19623 times)

Offline Tim Tylor

  • Newbie
  • *
  • Posts: 5
Shellcode injection warnings for Windows Media Player
« on: February 20, 2009, 04:24:45 AM »
After the latest update for Comodo Firewall I've been getting buffer overflow warnings for Windows Media Player. I'm seeing it on two computers with the same operating systems and security software.

Here's the Defense+ log entry
19/02/2009 20:15:14 \Device\HarddiskVolume2\Program Files\Windows Media Player\wmplayer.exe  Shellcode Injection

Here's the OS and security software on both machines: Windows XP Home edition, with SP3 and all critical patches. Comodo firewall (surprise ;) ) with Defense + enabled, ESET NOD32 antivirus and SuperAntiSpyware free edition.

(Apologies if I've chosen the wrong forum section. It's a buffer overflow issue, but I'm using Comodo Firewall rather than the standalone Memory Firewall.)

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13543
  • Retired - Volunteer Moderator
Re: Shellcode injection warnings for Windows Media Player
« Reply #1 on: February 20, 2009, 06:37:16 AM »
I think this need some sort of investigation to see if it's a FP or not.
Have you loaded any "strange" codecs or other stuff in there ?
Which version of WMP are we talking about ?
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline Tim Tylor

  • Newbie
  • *
  • Posts: 5
Re: Shellcode injection warnings for Windows Media Player
« Reply #2 on: February 20, 2009, 11:30:47 AM »
It's WMP version 11.0.5721.5230 on both computers. I don't think I've installed anything dodgy, and I do regular virus and spyware scans on both machines.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Shellcode injection warnings for Windows Media Player
« Reply #3 on: February 20, 2009, 05:28:26 PM »
After the latest update for Comodo Firewall I've been getting buffer overflow warnings for Windows Media Player. I'm seeing it on two computers with the same operating systems and security software.

Here's the Defense+ log entry
19/02/2009 20:15:14 \Device\HarddiskVolume2\Program Files\Windows Media Player\wmplayer.exe  Shellcode Injection

Here's the OS and security software on both machines: Windows XP Home edition, with SP3 and all critical patches. Comodo firewall (surprise ;) ) with Defense + enabled, ESET NOD32 antivirus and SuperAntiSpyware free edition.

(Apologies if I've chosen the wrong forum section. It's a buffer overflow issue, but I'm using Comodo Firewall rather than the standalone Memory Firewall.)

In the machine you can see this behavior, can you pls try with the the other security software uninstalled in order to see if this resolves the alert?

There are 3 possibilitites:

1 - There is a BO in Media Player
2 - There is a BO in one of the components loaded into the memory of Media Player and this component is a p[art of another software(in your case it might be one of the security software you have)
3 - This is a false positive

To help us identify, can you pls try with other security software uninstalled?

Thx,
Egemen

Offline Tim Tylor

  • Newbie
  • *
  • Posts: 5
Re: Shellcode injection warnings for Windows Media Player
« Reply #4 on: February 21, 2009, 08:22:57 AM »
Sorry for the slow response. I've tried it with the other programs uninstalled, and I still get the warnings.

Offline Tim Tylor

  • Newbie
  • *
  • Posts: 5
Re: Shellcode injection warnings for Windows Media Player
« Reply #5 on: March 02, 2009, 07:34:23 AM »
Installed the recent Comodo updates, but it's still happening.

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13543
  • Retired - Volunteer Moderator
Re: Shellcode injection warnings for Windows Media Player
« Reply #6 on: March 02, 2009, 10:19:33 AM »
I guess we have to wait for Egemen to see what's next...
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Shellcode injection warnings for Windows Media Player
« Reply #7 on: March 02, 2009, 11:25:18 AM »
We could not reproduce this issue. I am pretty sure this is a genuine buffer overflow alert. But to be sure, can you have an EasyVPN session with me so that i can specifically identify on your computer?

Offline Tim Tylor

  • Newbie
  • *
  • Posts: 5
Re: Shellcode injection warnings for Windows Media Player
« Reply #8 on: March 02, 2009, 02:48:30 PM »
We could not reproduce this issue. I am pretty sure this is a genuine buffer overflow alert. But to be sure, can you have an EasyVPN session with me so that i can specifically identify on your computer?

Sure, if we can arrange a time. Thanks muchly.  :)
Update: I've started getting buffer overflow alerts for notepad.exe as well.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Shellcode injection warnings for Windows Media Player
« Reply #9 on: March 02, 2009, 02:53:18 PM »
Sure, if we can arrange a time. Thanks muchly.  :)
Update: I've started getting buffer overflow alerts for notepad.exe as well.

Ok please add me to your EasyVPN list. My ID is Egemen. You download COMODO EasyVPN from http://easy-vpn.comodo.com/download.html

Thanks,

Egemen

Offline Ronny

  • Retired - Product Translator
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 13543
  • Retired - Volunteer Moderator
Re: Shellcode injection warnings for Windows Media Player
« Reply #10 on: March 02, 2009, 02:54:05 PM »
That does not sound very good, the notepad stuff that is, Egemen go catch it ;-)
Retired - Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy -  update Jan 3rd 2013!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek