Security researchers have seen attackers going after the newly patched CVE-2012-0003 vulnerability in the Windows Media Player. The flaw, which was patched earlier this month by Microsoft, is a critical one that can enable remote code execution, and it affects a wide range of Windows systems.
When the patch was released, Microsoft officials recommended that customers install it immediately as there was a decent chance of attackers leveraging it in the near future. And that’s just what’s happened. Researchers at the IBM ISS X-Force have seen malicious attacks against the MIDI vulnerability going on in the wild in recent days, and say that because exploitation of the flaw is not considered difficult, there may well be more on the horizon.
“In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen. The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it,” Shane Garrett of the X-Force wrote in a blog post.
In order to exploit this vulnerability, an attacker simply needs to entice a user into opening a specifically formatted media file. Once the exploit code executes, the attacker would then have full control of the system. And there are now pieces of malware that are circulating online that are capable of exploiting this vulnerability.
“In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA,” Roland Dela Paz of Trend Micro, wrote in an analysis of the attacks.
“HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body.”
The specific attack that Trend Micro’s researchers have analyzed uses the shellcode to download an encrypted binary, which it then decrypts and executes. The payload in this attack includes some malware with rootkit capabilities, which is installed on the victim’s machine. That rootkit also then connects to a remote server and downloads another component, a backdoor.