Microsoft warns of Windows Media video attacks on Patch Tuesday

Hackers could use malicious video files to take over Windows computers

Microsoft issued three security patches for Windows and Office today, including a critical bug fix for Windows Media Player and Windows Media Center.

The Windows Media flaw, if left unpatched, lets attackers target victims with malicious video files. 

The malicious files can't automatically take over a victim's computer, so the hacker must perform some social engineering to trick the user.

Microsoft boosts kill-IE6 campaign with new countdown site

The vulnerability "could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file," Microsoft said. "In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so."

The flaw is rated critical for Windows XP, Vista and Windows 7, as well as for the Windows Media Center TV Pack for Windows Vista. 

The video file attack is "somewhat trivial for attackers to exploit," Symantec security manager Joshua Talbot said.

The flaw "allows attackers to skip a few of the traditional steps needed to get malicious code to execute on a targeted computer," Talbot continued. "This is because when processing DVR-MS files, Windows Media Player and Media Center use data in these files themselves to determine what code in memory gets executed. This allows an attacker to jump directly to executing malicious code."

Although users have to click the files to be affected, Talbot says "It's not hard to imagine a scenario where an attacker spreads a malicious file purporting to be a video clip related to some popular current event."

The security update will be downloaded and installed automatically, as long as customers have automatic updating enabled. "The security update addresses the vulnerabilities by modifying the way library files and Windows media files are opened," Microsoft said. In addition to Windows Media, the patch also affects the DirectShow media streaming architecture.

Microsoft issued two other patches today to fix vulnerabilities in Windows and Office. The Windows flaw, rated important, fixes a previously disclosed vulnerability in Windows Remote Desktop Client. The Office flaw, also previously disclosed and rated important but not critical, fixes a flaw in the collaboration software known as Groove. The Groove flaw could allow remote code execution.

These vulnerabilities "all relate to the DLL issues Microsoft has been working to address for some time now," Talbot said. "These are fairly easy to exploit, but because an attack would require a user to take some fairly uncommon steps - such as opening up malicious files from SMB or WebDAV servers  - they're less likely to pose a serious threat."

"This current strain of DLL pre-loading vulnerabilities was first identified in August of 2010 and plagues a large number of software packages, some from Microsoft and many from third party vendors," said Qualys CTO Wolfgang Kandek. "Addressing all of the vulnerabilities is a daunting task and will not be completed any time soon, so we recommend implementing the guidelines laid out in [the Microsoft advisory from last August] that provide an additional safety-net on the operating systems for all Windows applications."

Microsoft said "we continue to address DLL-preloading issues as they are discovered; however, it's important to note that we have not seen exploitation of these issues in the wild." 

Microsoft did not patch an MHTML flaw disclosed in January that affects all supported editions of Windows. Also absent from today's Patch Tuesday are any fixes for Internet Explorer. However, we could learn of some new vulnerabilities in Microsoft's browser this week because of the Pwn2Own contest, in which security researchers will try to hack into IE, Safari, Chrome and Firefox.

Microsoft has started a new effort to convince users to stop using Internet Explorer 6, however. Despite coming out 10 years ago, IE6 is still widely used. While Microsoft said 12% of users have IE6 installed, Qualys said among its enterprise customers, 26% have IE6 installed. 

Follow Jon Brodkin on Twitter.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT