Security Experts:

Connect with us

Hi, what are you looking for?



Slow to Patch Users Vulnerable to Windows Media Player Exploit

Attackers Target Patched Windows Media Player Vulnerability 

Attackers are going after a recently patched vulnerability in Windows Media Player (WMP), and users do not seem to be keeping up with the threat.

Attackers Target Patched Windows Media Player Vulnerability 

Attackers are going after a recently patched vulnerability in Windows Media Player (WMP), and users do not seem to be keeping up with the threat.

According to security researchers, the flaw, CVE-2012-0003, is being targeted by exploits currently in the wild. The flaw rests within the winmm.dll in WMP’s Windows Multimedia Library in Windows XP SP2 and SP3, as well as Windows Server 2003 SP2, Vista SP2 and Server 2008 SP2. If successfully exploited with a malicious MIDI file, an attacker could use it to remotely launch arbitrary code.

The vulnerability was patched with the release of MS12-004, which came out Jan. 10. However, Qualys CTO Wolfgang Kandek told SecurityWeek that roughly 70 percent of the machines the company has scanned remain vulnerable to the bug. That number is based on scans of more than 100,000 machines per day. The patch also fixes a vulnerability caused when filters in DirectShow fail to properly handle specially-crafted media files. DirectShow is a part of DirectX, a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support.

“If for whatever reason you haven’t applied the critical January 2012 security update from Microsoft, now you really need to,” blogged Shane Garrett, of IBM’s X-Force Research team.

“In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen,” he added. “The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it.”

Researchers at Trend Micro reported the appearance of an attack targeting the bug last week. In the attack Trend Micro found, users who visit sites hosting the exploit are hit with malicious HTML that calls a malicious MIDI file and uses JavaScript to decode the shellcode in the HTML’s body. From there, the shellcode downloads, decodes and executes a Trojan detected by Trend as TROJ_DLOAD.QYUA. The Trojan drops a component with rootkit capabilities, as well as an info stealer that targets Korean gaming sites.

“Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here,” blogged Roland Dela Paz, threat response engineer at Trend Micro. “It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.”

Related Reading: Endless Exploit Attempts Underline Importance of Timely Java Patching

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.