HTTP Components and MS-Windows Defense Method
Attackers might use HTTP to send ActiveX controls, Java applets, .zip files, or .exe files to a target system, enabling them to load and control applications on hosts in a protected network. You can configure the security device to block the components (the device monitors incoming HTTP headers for blocked content types) as described in Table 1.
Table 1: HTTP Components
Java applets enable Web pages to interact with other programs. The applet runs by downloading itself to the Java Virtual Machine (VM) on a target system. Because attackers can program Java applets to operate outside the VM you might want to block them from passing through the security device.
Microsoft’s ActiveX enables different programs to interact with each other and might contain Java applets, .exe files, or .zip files. Web designers use ActiveX to create dynamic and interactive Web pages that function similarly across different operating systems and platforms. However, attackers might use ActiveX to gain control over a target computer system. When blocking ActiveX components, the security device also blocks Java applets, .exe files, and .zip files whether they are contained within an ActiveX control or not.
Files with .zip extensions contain one or more compressed files, some of which might be .exe files or other potentially malicious files. You can configure the security device to block all .zip files from passing through the zone.
Files with .exe extensions might contain malicious code. You can configure the security device to block all .exe files from passing through the zone.
Microsoft Windows contains the WinNuke vulnerability, which can be exploited using a DoS attack targeting any computer on the Internet running Microsoft Windows. Attackers can send a TCP segment (usually to NetBIOS port 139 with the urgent (URG) flag set to a host with an established connection; this packet causes a NetBIOS fragment overlap that can crash Windows systems.
To protect targets in the security zone from WinNuke attacks, configure the security device to scan incoming Microsoft NetBIOS session service (port 139) packets for set URG flags. If such a packet is detected, the security device unsets the URG flag, clears the URG pointer, forwards the modified packet, and generates a log entry for the event.