Microsoft blocks 'movies-to-malware' attacks
Patches 25 vulnerabilities, including two that attackers will quickly exploit, say researchers
Computerworld - Microsoft today patched 25 vulnerabilities in Windows, Exchange and Office, including nine marked "critical," the company's highest threat ranking.
But researchers were unanimous in urging users to immediately apply two of the 11 updates, which address major bugs in Windows Media Player and an important video file format, to block drive-by attacks that will quickly spread on the Web.
The patches also fixed eight flaws pegged as "important," the next-lowest step in Microsoft's four-stage scoring system, and another eight tagged as "moderate." Five of today's 11 update packages were marked critical, while five were labeled important and the remaining one as moderate.
Security experts directed users' attention to a pair of updates that addressed issues in Windows' media infrastructure.
"MS10-026 and MS10-027, which cover [the] DirectShow [codec] and Windows Media Player, are the ones to look at immediately," said Andrew Storms, director of security operations at nCircle Network Security. "This is a classic movies-to-malware situation, where you're watching a video but actually being hijacked."
MS10-026 affects Windows 2000, XP, Vista and Server 2008, said Microsoft's accompanying advisory, but not the newer Windows 7 or Server 2008 R2, and deals with a vulnerability that could be used to hijack a PC if "a user opened a specially crafted .avi file containing an MPEG Layer-3 audio stream," said Microsoft.
MS10-027, on the other hand, patches a critical bug in Windows Media Player, Microsoft's by-default audio- and video-playing software, on Windows 2000 and XP.
"These were the two that jumped out at us, too," said Amol Sarwate, manager of Qualys' vulnerabilities research lab.
"They have a drive-by attack vector, where if you click a link in an e-mail or go to a [malicious] Web site, you're owned," added Richie Lai, director of vulnerability research at Qualys.
Other researchers, including Josh Abraham of Rapid7 and Jason Miller, Shavlik's data and security team manager, put the same two updates at the top of their to-do lists. "Based on the information Microsoft has provided, there's definitely the potential for exploitation in the wild of these," Abraham said.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts