14 DAY TRIAL // Microsoft released last week an advisory and a security update for a critical vulnerability in Media Encoder 9 ActiveX as part of their Patch Tuesday (September 9). Not long after this vulnerability became public knowledge, a PoC (Proof of Concept) exploit was posted on Milw0rm and attacks based on it started to be detected in the wild.
The buffer overrun vulnerability can allow remote code execution upon viewing a maliciously crafted Web page. Users that are running on accounts with administrative privileges, like the vast majority of home users, are most affected by this vulnerability because it can result in the attacker getting full control over the system. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” notes the Microsoft advisory. The advisory also points out that the released security update for this vulnerability is “rated Critical for all supported and affected editions of Microsoft Windows 2000, Windows XP, and Windows Vista, and Moderate for supported and affected versions of Windows Server 2003 and Windows Server 2008”.
On September 13, a PoC exploit for this vulnerability was posted on exploit tracking website Milw0rm. However, the exploit itself, developed by haluznik (according to the code comments), has the creation date of September 10 specified. The malicious code is served through an escaped JavaScript function launched on an onclick event.
Sean Hittel reports on Symantec's Security Response Blog that honeypots have picked up custom attacks based on this exploit very soon after its release at Milw0rm, thus confirming an attack trend of early adoption of publicly disclosed exploits. The attackers use this technique being confident that people are not rushing to patch their systems.
According to Mr. Hittel, the attacks vary by substituting the original proof of concept shellcode with custom one, but two general methods of distribution are identified. The first method is using the code in an open, cleartext form while the other obfuscates the code and incorporates it in an already widely deployed attack toolkit named e2. The toolkit functions by attaching encrypted code to compromised legitimate websites. The code redirects the user to the actual attack page that tries to exploit multiple vulnerabilities. The encryption is based on a two-key decoder of the form: String.fromCharCode(key2 ^(key1 ^ encodedString.charCodeAt(i).
Users are encouraged to immediately install the security update released by Microsoft and Mr. Hittel reports that signatures for the Symantec products (NAV/NIS 2008/2009 or N360v2 and SCS/SEP as well as pre-2008 versions) already block these attacks. In addition, “because this signature is immune to iterations of encoders used on the exploit, future iterations of the exploit encoding will also be detected without need for a signature update”.