Microsoft issued seven security bulletins, including one “critical” bulletin, repairing a serious Windows Media Player flaw that could be exploited in dangerous drive-by website attacks.
The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file.
Joshua Talbot, security intelligence manager, Symantec
The software giant repaired eight vulnerabilities in its January 2012 Patch Tuesday round of patches. The update also addresses a publicly disclosed vulnerability in SSL/TLS implementations. The SSL/TLS weakness could enable an attacker to intercept encrypted Web traffic on Web servers using SSL 3.0 and TLS 1.0 protocols.
The Windows Media flaws affect Windows Media Player, Microsoft Windows Media Libraries and Microsoft DirectShow, the application program interface (API) designed to enable streaming media in Windows, Microsoft said in its MS12-04 security bulletin.
An attacker could exploit one of the flaws by getting a person to run a malicious MIDI file using Windows Media Player. It can be used in drive-by attacks or sent via instant message or as an email attachment, Microsoft said. Any malicious media file can be used to exploit the DirectShow error, which is a weakness in the way DirectShow parses media files, but the user has to have closed captioning enabled. The update applies to all supported versions of Windows, including Windows 7. It is labeled “critical” for users of Windows XP, Vista and Windows Server 2003 and 2008.
Wolfgang Kandek, CTO of Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc. said the MIDI flaw in Windows Media Player should be given the highest priority since it can be used by attackers in drive-by attacks in addition to email attachments.
“The MIDI one plays without the user opening a file or installing a codec, so it can be particularly serious,” Kandek said. “I think the closed captioning shows there’s so many things in these media players that they have to interpret and all these features are great, but they pose another path for attackers.”
The SSL/TLS flaw, which was disclosed last September at the Ekoparty Security Conference in Buenos Aires, allows an attacker to eavesdrop on encrypted sessions. According to Microsoft’s MS12-006 security bulletin, which is identified as an “important” update, the vulnerability is within the protocol itself and is not specific to the Windows operating system. At the conference, independent security researcher Juliano Rizzo and Thai Duong demonstrated a tool called BEAST to decrypt and obtain authentication tokens and cookies from HTTPS requests by exploiting the SSL error. The two researchers have also been pushing for a new XML encryption standard. The Microsoft update applies to all supported versions of Windows.
A Windows error addressed in the MS12-005 security bulletin is rated “important,” but at least one vulnerability expert, Joshua Talbot, security intelligence manager at Symantec Security Response, said the patch deserves to gain extra attention because it can be easily exploited. The error, in Windows .NET, can be exploited remotely using a Microsoft Office Word or PowerPoint document that contains a malicious embedded ClickOnce application. ClickOnce refers to self-updating Windows-based applications that can be installed and run with minimal user interaction. The update, which affects all supported versions of Windows, fixes the way Windows Packager loads ClickOnce applications.
“The vulnerability is due to an oversight that allows an attacker to run malware as soon as a user opens a Word or PowerPoint file,” Talbot said in a statement. “Email attachments will probably be the most common attack method in which this vulnerability is exploited.”
The vulnerability has an Exploitability Index of 1, meaning that attackers can quickly develop an exploit to target the vulnerability, but Jason Miller, manager of research and development at Palo Alto, Calif.-based virtualization vendor VMware Inc., said attackers would first have to learn how to build ClickOnce applications.
“I see them staying with cross-site scripting and other stuff they’re used to doing,” Miller said. “ClickOnce is becoming more prevalent especially as adoption of cloud-based services increases, but for now I don’t see this as a major threat.”
The other updates, all rated “important,” address a variety of Windows errors, including MS12-001, which addresses a Security Feature Bypass vulnerability, MS12-003, a Windows error that enables an attacker to gain elevated privileges, and MS12-002, which affects the way a legitimate file with an embedded packaged object functions in Windows.