Hackers pounce on just-patched Windows Media vulnerability

Hackers pounce on just-patched Windows Media vulnerability

Summary: The end result is a malicious Trojan with rootkit capabilities. The attack happens silently in the background and all the user sees is a blank WMP application playing a file.

SHARE:

If you haven't gotten around to patching that Windows Media Player vulnerability fixed in the last Microsoft Patch Tuesday batch, you might want to immediately fire up Windows Update.

Just a few weeks after Microsoft shipped MS12-004, a “critical” bulletin with fixes for two serious flaws in the way Windows Media handles certain media files, hackers have pounced and are exploiting this issue to plant malware on unpatched computers.

According to a warning from Trend Micro, the in-the-wild attacks are being launched via web sites rigged with booby-trapped Windows media files.

Trend Micro said the infection vector is a malicious HTML which exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file and a JavaScript, the company said.

[ SEE: 'Critical' Windows Media flaws put millions at risk ]

The end result is a malicious Trojan with rootkit capabilities.  The attack happens silently in the background and all the user sees is a blank WMP application playing a file.

Researchers at IBM ISS are also reporting increased chatter around the simplicity of exploiting this particular vulnerability:

In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen. The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it.

This particular threat doesn't appear to be widespread at the moment but it's very likely that this bug could be fitted into popular exploit kits so it's important to apply this patch as soon as possible.

[ SEE: Ten little things to secure your online presence ]

Topics: Software, Hardware, Mobility, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • RE: Hackers pounce on just-patched Windows Media vulnerability

    The hackers decide to write the trojan after the patch has been out, that's laughable and since its already patched their trojan is DOA.
    Loverock Davidson-
    • RE: Hackers pounce on just-patched Windows Media vulnerability

      @Loverock Davidson-
      That is a really myopic view of how things work in the real world. Just because a patch is out there does not mean that everyone instantly puts it into a production environment. If a patch comes out that cripples the infrastructure than which is better lost productivity or being vulnerable to something? Further people that happen to have computers that are not technically inclined do not stay on top of patch cycles by software vendors. My guess is that you are running software on your system right now that has a CVE identifier and you have not patched it yet. As almost everyone out there is.
      woot4moo
      • RE: Hackers pounce on just-patched Windows Media vulnerability

        @woot4moo that's why you should always enable auto updates. No thought needed, Microsoft issues a patch, and your system automatically becomes immune to the nasty virus. Unlike those other OSs, where you have to recompile your patches, and they often break more than they fix.
        Stephen-B
      • This is more a dig at the Apple and Linux fanbois

        @woot4moo
        They are always going on about how vulnerabilities don't count if they are patched.
        toddybottom_z
      • Speaking of Apple fanbois, hi Rick_Kl / Stephen-B

        You unwittingly give good advice. For home users, auto-updates should be enabled.
        toddybottom_z
    • RE: Hackers pounce on just-patched Windows Media vulnerability

      @Loverock Davidson- <br><br>It may be that it was easier for the hackers to reverse engineer the patch to determine a proper attack vector. Now it's a race between those with malicious code and unpatched users, to claim ownership of the machine.
      TechNickle
    • RE: Hackers pounce on just-patched Windows Media vulnerability

      @Loverock Davidson- As others have said, some people don't have automatic updates enabled, so they won't be protected. And now that there's a patch available, the kinds of people who would write trojans can figure out how to reverse-engineer the specific exploit by checking the patch. Damn shame they can't figure out how to use their powers for good.
      Third of Five
  • Meh, user level exploit.

    Doesn't count according to the ZDnet forum criteria.
    ye
  • RE: Hackers pounce on just-patched Windows Media vulnerability

    Per the above, I would allow Microsoft to auto-update if I had any confidence they would not auto-install various browsers or silver-whateveritis.

    Here's a case for manually checking Windows Update, though. I've had two instances recently of installing software which includes unpatched MS C++ libraries. This shows up the next time you run Windows Update, but not before.

    Curiously, the latest was a 2008 version -- from Adobe Labs. Ah, well.

    Regards
    Narr vi
    • RE: Hackers pounce on just-patched Windows Media vulnerability

      @Narr vi
      What's wrong with silver-light? Don't like watching movies online? Ohwell, just FYI, silver-light is becoming a replacement for adobe flash in the upcoming HTML5 years.
      MrElectrifyer
      • RE: Hackers pounce on just-patched Windows Media vulnerability

        @MrElectrifyer

        I am sure you know what you are talking about. However, I will download Silverlight when I need it, not when MS wants me to. I have done without it so far...

        I, (and others,) would be more accepting of M$ stuff if they were great products for their own sake. .Net was only in response to Java. Silverlight was only in response to Flash. Windows desktop search was just in response to Goodle Desktop Search. Office document imaging was ... you get the idea... And don't forget DRM, well, so M$ can make money selling DRM solutions to businesses. And M$ tries to install and turn on every single one whether or not I want, need, or use them. That behavior isn't much better than the malware pushers.

        M$ has squandered a lot of goodwill with this crap and that business model. Now I am supposed to trust them? Luuuuuucy, you got some 'splainin' to do...!
        mlashinsky@...