Microsoft blocks 'movies-to-malware' attacks

Patches 25 vulnerabilities, including two that attackers will quickly exploit, say researchers

Microsoft today patched 25 vulnerabilities in Windows, Exchange and Office, including nine marked "critical," the company's highest threat ranking.

But researchers were unanimous in urging users to immediately apply two of the 11 updates, which address major bugs in Windows Media Player and an important video file format, to block drive-by attacks that will quickly spread on the Web.

The patches also fixed eight flaws pegged as "important," the next-lowest step in Microsoft's four-stage scoring system, and another eight tagged as "moderate." Five of today's 11 update packages were marked critical, while five were labeled important and the remaining one as moderate.

Security experts directed users' attention to a pair of updates that addressed issues in Windows' media infrastructure.

"MS10-026 and MS10-027, which cover [the] DirectShow [codec] and Windows Media Player, are the ones to look at immediately," said Andrew Storms, director of security operations at nCircle Network Security. "This is a classic movies-to-malware situation, where you're watching a video but actually being hijacked."

MS10-026 affects Windows 2000, XP, Vista and Server 2008, said Microsoft's accompanying advisory, but not the newer Windows 7 or Server 2008 R2, and deals with a vulnerability that could be used to hijack a PC if "a user opened a specially crafted .avi file containing an MPEG Layer-3 audio stream," said Microsoft.

MS10-027 , on the other hand, patches a critical bug in Windows Media Player, Microsoft's by-default audio- and video-playing software, on Windows 2000 and XP.

"These were the two that jumped out at us, too," said Amol Sarwate, manager of Qualys' vulnerabilities research lab.

"They have a drive-by attack vector, where if you click a link in an e-mail or go to a [malicious] Web site, you're owned," added Richie Lai, director of vulnerability research at Qualys.

Other researchers, including Josh Abraham of Rapid7 and Jason Miller, Shavlik's data and security team manager, put the same two updates at the top of their to-do lists. "Based on the information Microsoft has provided, there's definitely the potential for exploitation in the wild of these," Abraham said.

"The Internet is a giant media hub now," added Miller. "These are very good targets, because first of all, lots of people aren't going to upgrade [Windows Media Player] and second, most people watch video when they're online. Not at the office? Come on.... When I walk around here, everyone's watching video."

Lai, of Qualys, agreed. "MS01-027 can be exploited with just a script, and we've seen both DirectShow and Media Player exploited in the past. I give them a week before we see them in the wild," he said.

Microsoft has repeatedly patched both DirectShow, the vulnerable codec addressed by MS10-026, and Windows Media Player, which MS10-027 patches, said nCircle's Storms, who cited three updates in 2009 for each component. "Microsoft has patched these just as often as Apple has patched QuickTime," Storms said. "But that doesn't surprise me. What with a lot of what consumers do on the Internet multimedia-based, there are a lot of [researchers'] eyeballs on these components."

A third media-related update patched a critical vulnerability in Windows 2000's implementation of Windows Media Services. Although that service is not enabled by default, Lai said the vulnerability could become a target for hackers eager to write a worm. "It's a wormable bug if you have this installed," he said.

Windows 2000, which is slated to be fully retired from support this July, currently has only a .06% share of the global operating system usage market, according to the latest data from Web analytics vendor

Other updates today patched Microsoft's Publisher and Visio applications -- two parts of its Office suite family -- Windows digital signing function, the Windows kernel, the SMTP service that's part of the popular Exchange e-mail server software, and the ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) component in most versions of Windows.

Researchers split on what to patch after applying MS10-026 and MS10-027.

" MS10-019 is both pretty interesting and pretty disturbing," said Miller, talking about the patch for Authenticode Verification, the encryption and digital signing service Windows uses to verify legitimate software. Hackers who exploit the two critical vulnerabilities could, said Microsoft, "cause Windows to install or run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Lai said he expects attackers to show intense interest in the Authenticode bugs because exploiting the flaws would allow them to disguise malware as digitally-signed software from the likes of Microsoft. "They won't be exploited any time soon," he said, noting that part of the exploit mechanism will be difficult to craft, "but maybe within a couple of months we'll see some. This really puts the fear [into users] of what's on their machines, and what's real software and what isn't."

While today's Patch Tuesday was slightly smaller in scope than February's -- which boasted 13 security bulletins and patched 26 bugs -- it is still enormous, researchers agreed.

"More important, it's fragmented," said Wolfgang Kandek, the chief technology officer of Qualys. "There are not only lots of bulletins, but some are really small in coverage and affect only a small fraction of users. Because it's very fragmented, it's a different kind of challenge for administrators."

Among today's fixes were ones for two outstanding security advisories that Microsoft issued in November 2009 and March 2010. The November 2009 warning was prompted by reports of a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, within Windows 7 and Windows Server 2008 R2. At the time, the flaw was the first Microsoft-confirmed zero-day vulnerability for Windows 7.

The March advisory warned Windows XP users not to press the F1 key when prompted by a Web site, Microsoft's response to a report by Polish security researcher Maurycy Prodeus of a vulnerability in VBScript that attackers could exploit to hijack PCs running Internet Explorer (IE).

Microsoft's updates are not the only ones to hit users today. Adobe has also released an update to its Reader and Acrobat PDF software that fixed 15 vulnerabilities, most of them critical. Oracle is slated to deliver 16 patches today for Sun Microsystem's software and another 47 for its own database products.

This month's Microsoft security update can be downloaded and installed via the Windows Update and Microsoft Update services, as well as through Windows Server Update Services.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?