Windows Media Player Vulnerability Targeted by Drive-by-download Attack
Security firm Trend Micro recently released details on malware that has been targeting the MIDI Remote Code Execution Vulnerability found in Microsoft’s Windows Media Player.
A post on Trend Micro’s Malware Blog offered further insight into the malware that has been exploiting the CVE-2012-0003 vulnerability. The malware’s authors have been successful in exploiting the vulnerability by tricking unsuspecting victims into opening a specially engineered MIDI file in Windows Media Player. This Web-based drive-by-download attack uses a malicious HTML page as its method for delivery. If a victim falls for the scheme, a Trojan becomes executed on their system. Trend Micro officially identified the Trojan as TROJ_DLOAD.QYUA. While the company’s researchers are still analyzing the Trojan, they said it possesses rootkit capabilities and has the potential to be quite problematic.
Microsoft acknowledged the Windows Media Player vulnerability and released a patch for it as part of its Patch Tuesday earlier this month. The software giant described the issue as critical, noting that a successful exploit of the vulnerability could give an attacker complete control of the targeted system.
David Sancho, a senior researcher with Trend Micro noted that the attack is not widespread at this time. That could change, however, if other hackers follow suit and try to exploit the vulnerability themselves. Sancho added that it’s a safe bet to expect more attacks of its kind in the future, as is usually the case with vulnerabilities that are disclosed to the public. As for who or what the attack is targeting, Sancho said no particular people or organizations seem to be in harms way, and the method in which victims are being led to the malicious page is still unknown.
Trend Micro offered some security measures you can employ to protect yourself from this attack. First and foremost, the company recommends applying Microsoft’s MS12-004 bulletin update that was released on January 10 to patch the Windows Media Player vulnerability. It covers users running Windows XP Service Pack 2 and Service Pack 3, Vista Service Pack 2, Server 2003 Service Pack 2, and Server 2008 Service Pack 2, and can be downloaded by visiting http://technet.microsoft.com/en-us/security/bulletin/ms12-004.
Beyond applying the update, Trend Micro also recommends employing the standard practice of running a trusted antivirus program that can scan Web content. Users are urged to keep their operating systems and software in their most up-to-date states as well. Any users covered by the Trend Micro Smart Protection Network are protected from the attack, as the service has been updated to block any related files or URLs deemed to be malicious.
Symantec Urges Users to Disable its pcAnywhere Now Product
Symantec issued a security advisory last week urging its customers to essentially discontinue regular use of its pcAnywhere offering. Theft of Symantec source code in 2006 is the reasoning for the advisory, which specifically recommended pcAnywhere users to configure the product in a way to minimize potential risks and to only use the product for purposes critical to business.
News of the stolen source code was put under the spotlight earlier this month when Lords of Dharmaraja, a hacking group, used a Pastebin post to display what it claimed to be part of Symantec’s Norton Utilities source code. Symantec called the claim bogus, but the security vendor faced controversy once again on January 16 when Sabu, former leader of the LulzSec hacker group, posted the following on Twitter: “Lords of Dharmaraja has sent #antisec Symantec source codes for 0day-plundering. All your NU+PCAnywhere base are belong to us. Release soon.”
The Sabu tweet caused Symantec to reverse its tune, leading the company to explain why it took over five years to confirm the breach. The main worry behind the theft is that attackers could study the code to look for methods to crack pcAnywhere’s encryption. Once cracked, attackers could steal user credentials or session information via man-in-the-middle attacks. Doing so might give them access to the cryptographic key used to remotely connect to the computer, which would lead to even more trouble: “If the cryptographic key itself is using Active Directory credentials, it is also possible for them to perpetrate other malicious activities on the network,” the advisory said.
Symantec’s latest advisory lists customers using pcAnywhere versions 12.0, 12.1, and 12.5 as being most at risk for any related attacks, but those running previous versions are also advised to take the proper precautions. According to the results of its internal investigation, “There are no indications that customer information has been impacted or exposed at this time.”
Beyond the source code theft concerning pcAnywhere, Symantec said its code for the 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, and Norton SystemWorks were also compromised.
For more on this topic, visit http://informationweek.com/news/security/vulnerabilities/232500523?pgno=2