Researchers today began noticing increased activity on ports directed to media players, a strong indication that attackers are actively screening machines for a new codec vulnerability reported over the weekend.
The "highly critical" vulnerabilities, according to Secunia, are located in 3ivx Technologies' MPEG-4 codec, a required compatibility program used to create and play back MP4 files. The bugs are caused by boundary errors that can lead to stack-based buffer overflows via a maliciously crafted MP4 file.
Experts have seen proof-of-concept code impacting Windows Media Player 6.4, Media Player Classic 6.4.9 and Winamp 5.32 – all older versions of the popular multimedia applications. But other versions are likely vulnerable as well, Ben Greenbaum, senior research manager in Symantec Security Response, told SCMagazineUS.com today.
"We see people that are looking for machines that have already been exploited in this fashion or are trying to connect to machines that they think have been successfully exploited," he said.
Greenbaum said that attackers are opting to exploit bugs in media players and the plugins that increase their functionality as organisations and vendors get better at securing operating systems and applications.
"These attacks can be placed on trusted websites and immediately exposed to hundreds of thousands of potential victims," he said. "Lots of websites allow users to incorporate their own content. It's an easy way for attackers to get their exploit up to a site that's going to have a lot of eyes."
The goal of these attacks is usually to drop a secondary payload, such as a bot or trojan, he added.
As users await a patch, businesses should ensure they have policy in place that permits employees to connect to media players only for work purposes, Greenbaum said. In addition, organisations should be running an up-to-date anti-virus solution, an intrusion detection system and endpoint security management tools to help identify and remove vulnerable software.
A spokeswoman for 3ivx, which would be responsible for the fix, did not return a request for comment.
A spokesman for AOL, which owns Winamp, said users should update to the latest version.
"We encourage everyone to upgrade to [version] 5.5, which is actually not vulnerable to the attack," AOL spokesman Kurt Patat told SCMagazineUS.com today. "That's people's best bet if they want to avoid the vulnerability."
Microsoft is scheduled to release a patch on Tuesday that addresses flaws in Windows Media Player, but it is unclear whether that fix would resolve this flaw. A company spokesman said he was checking into the issue.
See original article on scmagazineus.com
Codec flaws threaten Windows Media Player, Winamp
By Dan Kaplan on Dec 11, 2007 9:48AM