Security researchers have seen attackers going after the newly patched CVE-2012-0003 vulnerability in the Windows Media Player. The flaw, which was patched earlier this month by Microsoft, is a critical one that can enable remote code execution, and it affects a wide range of Windows systems.
When the patch was released, Microsoft officials recommended that customers install it immediately as there was a decent chance of attackers leveraging it in the near future. And that’s just what’s happened. Researchers at the IBM ISS X-Force have seen malicious attacks against the MIDI vulnerability going on in the wild in recent days, and say that because exploitation of the flaw is not considered difficult, there may well be more on the horizon.
“In addition to the appearance of live exploitation, detailed discussion of the vulnerability details and methods of exploitation have been seen. The relatively low complexity of locating the vulnerability will doubtlessly lead to more malware targeting it,” Shane Garrett of the X-Force wrote in a blog post.
In order to exploit this vulnerability, an attacker simply needs to entice a user into opening a specifically formatted media file. Once the exploit code executes, the attacker would then have full control of the system. And there are now pieces of malware that are circulating online that are capable of exploiting this vulnerability.
“HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body.”
The specific attack that Trend Micro’s researchers have analyzed uses the shellcode to download an encrypted binary, which it then decrypts and executes. The payload in this attack includes some malware with rootkit capabilities, which is installed on the victim’s machine. That rootkit also then connects to a remote server and downloads another component, a backdoor.