Security Experts:

Slow to Patch Users Vulnerable to Windows Media Player Exploit

Attackers Target Patched Windows Media Player Vulnerability 

Attackers are going after a recently patched vulnerability in Windows Media Player (WMP), and users do not seem to be keeping up with the threat.

According to security researchers, the flaw, CVE-2012-0003, is being targeted by exploits currently in the wild. The flaw rests within the winmm.dll in WMP’s Windows Multimedia Library in Windows XP SP2 and SP3, as well as Windows Server 2003 SP2, Vista SP2 and Server 2008 SP2. If successfully exploited with a malicious MIDI file, an attacker could use it to remotely launch arbitrary code.

The vulnerability was patched with the release of MS12-004, which came out Jan. 10. However, Qualys CTO Wolfgang Kandek told SecurityWeek that roughly 70 percent of the machines the company has scanned remain vulnerable to the bug. That number is based on scans of more than 100,000 machines per day. The patch also fixes a vulnerability caused when filters in DirectShow fail to properly handle specially-crafted media files. DirectShow is a part of DirectX, a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support.

“If for whatever reason you haven’t applied the critical January 2012 security update from Microsoft, now you really need to,” blogged Shane Garrett, of IBM’s X-Force Research team.

“In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen,” he added. “The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it.”

Researchers at Trend Micro reported the appearance of an attack targeting the bug last week. In the attack Trend Micro found, users who visit sites hosting the exploit are hit with malicious HTML that calls a malicious MIDI file and uses JavaScript to decode the shellcode in the HTML’s body. From there, the shellcode downloads, decodes and executes a Trojan detected by Trend as TROJ_DLOAD.QYUA. The Trojan drops a component with rootkit capabilities, as well as an info stealer that targets Korean gaming sites.

“Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here,” blogged Roland Dela Paz, threat response engineer at Trend Micro. “It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.”

Related Reading: Endless Exploit Attempts Underline Importance of Timely Java Patching

Subscribe to the SecurityWeek Email Briefing
view counter