Microsoft blocks 'movies-to-malware' attacks
- 14 April, 2010 06:14
Microsoft today patched 25 vulnerabilities in Windows, Exchange and Office, including nine marked "critical," the company's highest threat ranking.
But researchers were unanimous in urging users to immediately apply two of the 11 updates, which address major bugs in Windows Media Player and an important video file format, to block drive-by attacks that will quickly spread on the Web.
The patches also fixed eight flaws pegged as "important," the next-lowest step in Microsoft's four-stage scoring system, and another eight tagged as "moderate." Five of today's 11 update packages were marked critical, while five were labeled important and the remaining one as moderate.
Security experts directed users' attention to a pair of updates that addressed issues in Windows' media infrastructure.
"MS10-026 and MS10-027, which cover [the] DirectShow [codec] and Windows Media Player, are the ones to look at immediately," said Andrew Storms, director of security operations at nCircle Network Security. "This is a classic movies-to-malware situation, where you're watching a video but actually being hijacked."
MS10-026 affects Windows 2000, XP, Vista and Server 2008, said Microsoft's accompanying advisory, but not the newer Windows 7 or Server 2008 R2, and deals with a vulnerability that could be used to hijack a PC if "a user opened a specially crafted .avi file containing an MPEG Layer-3 audio stream," said Microsoft.
MS10-027 , on the other hand, patches a critical bug in Windows Media Player, Microsoft's by-default audio- and video-playing software, on Windows 2000 and XP.
"These were the two that jumped out at us, too," said Amol Sarwate, manager of Qualys' vulnerabilities research lab.
"They have a drive-by attack vector, where if you click a link in an e-mail or go to a [malicious] Web site, you're owned," added Richie Lai, director of vulnerability research at Qualys.
Other researchers, including Josh Abraham of Rapid7 and Jason Miller, Shavlik's data and security team manager, put the same two updates at the top of their to-do lists. "Based on the information Microsoft has provided, there's definitely the potential for exploitation in the wild of these," Abraham said.
"The Internet is a giant media hub now," added Miller. "These are very good targets, because first of all, lots of people aren't going to upgrade [Windows Media Player] and second, most people watch video when they're online. Not at the office? Come on.... When I walk around here, everyone's watching video."
Lai, of Qualys, agreed. "MS01-027 can be exploited with just a script, and we've seen both DirectShow and Media Player exploited in the past. I give them a week before we see them in the wild," he said.
Microsoft has repeatedly patched both DirectShow, the vulnerable codec addressed by MS10-026, and Windows Media Player, which MS10-027 patches, said nCircle's Storms, who cited three updates in 2009 for each component. "Microsoft has patched these just as often as Apple has patched QuickTime," Storms said. "But that doesn't surprise me. What with a lot of what consumers do on the Internet multimedia-based, there are a lot of [researchers'] eyeballs on these components."
A third media-related update patched a critical vulnerability in Windows 2000's implementation of Windows Media Services. Although that service is not enabled by default, Lai said the vulnerability could become a target for hackers eager to write a worm. "It's a wormable bug if you have this installed," he said.
Windows 2000, which is slated to be fully retired from support this July, currently has only a .06% share of the global operating system usage market, according to the latest data from Web analytics vendor NetApplications.com.
Other updates today patched Microsoft's Publisher and Visio applications -- two parts of its Office suite family -- Windows digital signing function, the Windows kernel, the SMTP service that's part of the popular Exchange e-mail server software, and the ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) component in most versions of Windows.
Researchers split on what to patch after applying MS10-026 and MS10-027.
" MS10-019 is both pretty interesting and pretty disturbing," said Miller, talking about the patch for Authenticode Verification, the encryption and digital signing service Windows uses to verify legitimate software. Hackers who exploit the two critical vulnerabilities could, said Microsoft, "cause Windows to install or run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Lai said he expects attackers to show intense interest in the Authenticode bugs because exploiting the flaws would allow them to disguise malware as digitally-signed software from the likes of Microsoft. "They won't be exploited any time soon," he said, noting that part of the exploit mechanism will be difficult to craft, "but maybe within a couple of months we'll see some. This really puts the fear [into users] of what's on their machines, and what's real software and what isn't."
While today's Patch Tuesday was slightly smaller in scope than February's -- which boasted 13 security bulletins and patched 26 bugs -- it is still enormous, researchers agreed.
"More important, it's fragmented," said Wolfgang Kandek, the chief technology officer of Qualys. "There are not only lots of bulletins, but some are really small in coverage and affect only a small fraction of users. Because it's very fragmented, it's a different kind of challenge for administrators."
Among today's fixes were ones for two outstanding security advisories that Microsoft issued in November 2009 and March 2010. The November 2009 warning was prompted by reports of a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, within Windows 7 and Windows Server 2008 R2. At the time, the flaw was the first Microsoft-confirmed zero-day vulnerability for Windows 7.
The March advisory warned Windows XP users not to press the F1 key when prompted by a Web site, Microsoft's response to a report by Polish security researcher Maurycy Prodeus of a vulnerability in VBScript that attackers could exploit to hijack PCs running Internet Explorer (IE).
Microsoft's updates are not the only ones to hit users today. Adobe has also released an update to its Reader and Acrobat PDF software that fixed 15 vulnerabilities, most of them critical. Oracle is slated to deliver 16 patches today for Sun Microsystem's software and another 47 for its own database products.
This month's Microsoft security update can be downloaded and installed via the Windows Update and Microsoft Update services, as well as through Windows Server Update Services.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com .
Read more about security in Computerworld's Security Knowledge Center.