Recently Microsoft released several security patches for a vulnerability discovered in Windows Media components in their Microsoft Security Bulletin MS12-004 – Critical. The vulnerability affects more or less all Windows operating systems 32 and 64 bits starting with Windows XP SP3, ending with Windows 7 and Windows Server 2008 R2 and consists in allowing of remote code execution when a specially crafted MIDI file is handled by Windows Media Player or DirectShow.
Affected Windows operating systems components are as follows:
Windows Media Library and DirectShow components:
- Windows XP Service Pack 3
- Windows XP Media Center Edition 2005 Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
Only DirectShow component:
- Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Media Center TV Pack for Windows Vista (32 and 64-bit editions) is also affected by this vulnerability.
Trend Micro security researchers already found this vulnerability used by the hackers to upload and execute a credentials stealer trojan in the infected computers. This malware serves to steal only credentials related to certain Korean online game sites but of course more nefarious and diversified uses can be expected in the near future.
How the attack works? The user navigates unknowingly to a web page whose HTML source contains malicious code, identified as HTML_EXPLT.QYUA by Trend Micro security vendor. This HTML code calls another malicious component, a specially crafted MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA. You know already that the MIDI file component is used to trigger the Windows Media vulnerability while the malicious JavaScript is used to decode the shell code embedded in HTML_EXPLT.QYUA.
The decrypted shell code in its turn downloads from a site, decrypts and executes a malware, TROJ_DLOAD.QYUA which uses two components: RTKT_MDIEXP.QYUA used for its rootkit capabilities able to hide its presence on the infected system and TSPY_ONLING.KREA, the main payload used to steal the credentials for that Korean online game site as I said above. It’s a typical drive-by download attack where no user interaction is needed to succeed, other than visiting a malicious web site. The stolen credentials are sent to the attacker Command&Control server.
Online Korean game? No big deal you could say. This vulnerability it’s a big deal for its immense potential it can represent for the hackers and maybe the next malware exploiting this vulnerability will be related to your online banking credentials and not Korean games.
Therefore, it’s advised for all the Windows users to immediately patch(update) their systems, if they have not already done so, visiting this address: http://technet.microsoft.com/en-us/security/bulletin/ms12-004
Sources:
http://technet.microsoft.com/en-us/security/bulletin/ms12-004
http://blog.trendmicro.com/malware-leveraging-midi-remote-code-execution-vulnerability-found/
Keep safe !
Leave a Reply