Microsoft blocks 'movies-to-malware' attacks
Patches 25 vulnerabilities, including two that attackers will quickly exploit, say researchers
Computerworld - Microsoft today patched 25 vulnerabilities in Windows, Exchange and Office, including nine marked "critical," the company's highest threat ranking.
But researchers were unanimous in urging users to immediately apply two of the 11 updates, which address major bugs in Windows Media Player and an important video file format, to block drive-by attacks that will quickly spread on the Web.
The patches also fixed eight flaws pegged as "important," the next-lowest step in Microsoft's four-stage scoring system, and another eight tagged as "moderate." Five of today's 11 update packages were marked critical, while five were labeled important and the remaining one as moderate.
Security experts directed users' attention to a pair of updates that addressed issues in Windows' media infrastructure.
"MS10-026 and MS10-027, which cover [the] DirectShow [codec] and Windows Media Player, are the ones to look at immediately," said Andrew Storms, director of security operations at nCircle Network Security. "This is a classic movies-to-malware situation, where you're watching a video but actually being hijacked."
MS10-026 affects Windows 2000, XP, Vista and Server 2008, said Microsoft's accompanying advisory, but not the newer Windows 7 or Server 2008 R2, and deals with a vulnerability that could be used to hijack a PC if "a user opened a specially crafted .avi file containing an MPEG Layer-3 audio stream," said Microsoft.
MS10-027, on the other hand, patches a critical bug in Windows Media Player, Microsoft's by-default audio- and video-playing software, on Windows 2000 and XP.
"These were the two that jumped out at us, too," said Amol Sarwate, manager of Qualys' vulnerabilities research lab.
"They have a drive-by attack vector, where if you click a link in an e-mail or go to a [malicious] Web site, you're owned," added Richie Lai, director of vulnerability research at Qualys.
Other researchers, including Josh Abraham of Rapid7 and Jason Miller, Shavlik's data and security team manager, put the same two updates at the top of their to-do lists. "Based on the information Microsoft has provided, there's definitely the potential for exploitation in the wild of these," Abraham said.
- Russian credential theft shows why the password is dead
- Cybersecurity should be professionalized
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!