Attackers Target Patched Windows Media Player Vulnerability
Attackers are going after a recently patched vulnerability in Windows Media Player (WMP), and users do not seem to be keeping up with the threat.
According to security researchers, the flaw, CVE-2012-0003, is being targeted by exploits currently in the wild. The flaw rests within the winmm.dll in WMP’s Windows Multimedia Library in Windows XP SP2 and SP3, as well as Windows Server 2003 SP2, Vista SP2 and Server 2008 SP2. If successfully exploited with a malicious MIDI file, an attacker could use it to remotely launch arbitrary code.
The vulnerability was patched with the release of MS12-004, which came out Jan. 10. However, Qualys CTO Wolfgang Kandek told SecurityWeek that roughly 70 percent of the machines the company has scanned remain vulnerable to the bug. That number is based on scans of more than 100,000 machines per day. The patch also fixes a vulnerability caused when filters in DirectShow fail to properly handle specially-crafted media files. DirectShow is a part of DirectX, a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support.
“If for whatever reason you haven’t applied the critical January 2012 security update from Microsoft, now you really need to,” blogged Shane Garrett, of IBM’s X-Force Research team.
“In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen,” he added. “The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it.”
Researchers at Trend Micro reported the appearance of an attack targeting the bug last week. In the attack Trend Micro found, users who visit sites hosting the exploit are hit with malicious HTML that calls a malicious MIDI file and uses JavaScript to decode the shellcode in the HTML’s body. From there, the shellcode downloads, decodes and executes a Trojan detected by Trend as TROJ_DLOAD.QYUA. The Trojan drops a component with rootkit capabilities, as well as an info stealer that targets Korean gaming sites.
“Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here,” blogged Roland Dela Paz, threat response engineer at Trend Micro. “It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.”
Related Reading: Endless Exploit Attempts Underline Importance of Timely Java Patching
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Patient Information Compromised in Data Breach at San Diego Healthcare Provider
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
