Microsoft Targets Media Flaws In April Patches

Internet Explorer is typically Microsoft's biggest attack target, and the software giant in late March issued a rare out-of-band patch to deal with a zero day vulnerability in IE6 and IE7. However, three of this month's 11 security updates target vulnerabilities in Microsoft media technologies, and all three carry Microsoft highest threat rating of 'Critical'.

Microsoft's fixes for MPEG Layer 3 Codec (MS10-026) and Windows Media Player (MS10-027) address risks to the client, although Windows 7 isn't vulnerable in either case. Microsoft's patch for Windows Media Services (MS10-025) focuses on a vulnerability that only affects Microsoft Windows 2000 Server Service Pack 4.

By ranking the media fixes so highly, Microsoft shows it's aware that hackers could target these flaws in social engineering attacks. This would entail creating a specially rigged video and luring an unsuspecting Web user to play it on their machine, thereby enabling the dreaded remote code execution scenario.

The prevalence of video sharing, both online and through attachments, is causing people to let their guard down. And according to security experts, that's where social engineering is most effective, since people are already impulsively clicking on links that arrive via email.

"Web multimedia is very big right now, especially streaming video. But people aren't educated on the security risks," said Jason Miller, data and security team manager for Minneapolis-based security vendor Shavlik Technologies.

Another factor here is the growing sophistication of Web media players, which are capable of playing multiple different media formats. This sophistication makes it possible for vulnerabilities to creep into the application code, said Wolfgang Kandek, CTO of Qualys, Redwood Shores, Calif.

"With programs that are powerful and able to interpret all these different formats, there are lots of opportunities for coding flaws," said Kandek. "Some of these applications are probably written by 20 different people, and that leaves a rich field for attackers to find flaws."

The most ominous of this month's patches is one that addresses two privately reported vulnerabilities in Windows Authenticode Verification (MS10-019), which also carry the risk of remote code execution. According to Miller, these vulnerabilities could allow hackers to bypass digitally signed files of the type that are commonly exchanged between businesses.

Microsoft assigned the vulnerabilities its highest rating of 'Critical' and indicated that it affects all versions of Windows, including Windows 7 and Windows Server 2008 R2.

In six years as a security researchers, Miller says he's never come across this type of vulnerability, and it could eventually be used in future attacks. "This could let attackers bypass and change the executable to something malicious while still maintaining the digital signature," he said.

Overall, Microsoft issued 11 security bulletins that address 25 vulnerabilities, eight of which affect Windows.