Vulnerability in Windows Media Player Fixed by Microsoft
The software giant Microsoft, on April 13, 2010, fixed 25 flaws, including major flaws in Windows Media Player and a significant crucial video file format that stops drive-by attacks, which will spread on the Web at a rapid pace. Microsoft recommends applying all the fixes, but it lays emphasis on the immediate implementation of three particular updates- MS0-019, MS10-026 and MS10-027.
Andrew Storms, director of security operations at nCircle Network Security, said that the patches which cover the codec DirectShow and Windows Media Player- MS10-026 and MS10-027 need immediate consideration, as per the news published by ComputerWorld on April 13, 2010. He further added that this is a classic situation of movies-to-malware, where a user watching a video is actually being hijacked.
MS10-026 is found critical on XP, Server 2003, Server 2008 and Windows 2000 and could facilitate a hacker to completely take over the system if a user were to either click on a malicious Audio Video Interleave file (AVI) or if he had it stream from a website. On the other hand, MS10-027 handles a flaw, which can be abused if a user simply visits a specially designed webpage.
According to Jason Miller, data and security team leader at Shavlik Technologies, both the patches deal with multimedia files usually accessed by the users at home, but are becoming increasingly common on business PCs also, as per the news published by NetworkWorld on April 13, 2010.
Miller says that if a system is not patched and opens up a malicious file, it is most likely to get remote code execution. At this point of time, online videos are largely seen, and if the sender of the video is unknown, or even the website that hosts it is unknown, then a user can surely start remote code execution.
Another patch from MS0-019 relates to digital signature practices, which help people ensure that the sender of a file is an authentic source. Microsoft discovered a method by which a hacker can add malicious code to a file, without even cracking the digital signature.
Miller explained that they fixed the flaw in which that file could be faked, embedded with malware, without making the signature void.
Besides critical patches, April fixes of Microsoft also include eight "moderate" and eight "important" patches.
Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities
» SPAMfighter News - 24-04-2010