14 DAY TRIAL // A critical Windows remote code execution vulnerability disclosed last week is already being exploited in the wild. Security companies warn that attackers are luring unsuspecting users onto malicious Web pages that leverage the flaw to install malware on their computers.
Last Thursday, Tavis Ormandy, an information security engineer at Google revealed details about a previously unknown vulnerability in the Windows Help and Support Center. Considering that his disclosure included fully working exploitation code and that Microsoft was only given five days in advance to patch the bug, many people in the information security community accused Ormandy of acting irresponsibly.
"Today, we got the first pro-active detection (Sus/HcpExpl-A) on malware that is spreading via a compromised website. This malware downloads and executes an additional malicious component (Troj/Drop-FS) on the victim’s computer, by exploiting this vulnerability," Donato Ferrante, a security researcher at Sophos, announced yesterday. "In my opinion publishing exploit code was utterly irresponsible behaviour, and I was worried that having such information floating around the internet would make it easy for cybercriminals to take advantage," Graham Cluley, the company's senior technology consultant, commented.
Microsoft confirmed the attacks via its official advisory on the issue, but it describes them as "targeted and limited." Additionally, according to the company, these attacks only target Windows XP, despite the vulnerability affecting both Windows XP and Windows 2003 operating systems.
Meanwhile, security researchers from antivirus vendor Trend Micro have also intercepted some drive-by download attacks exploiting the unpatched flaw. After looking into them, Joseph Cepe, a threat analyst at the company, concluded that there were two distinct methods of delivering the malware.
The first requires tricking users into clicking on a prompt to initiate the exploitation, which downloads a trojan on their computers. This trojan then downloads another trojan, which in turn downloads additional malware, including scareware.
The second approach, which according to the researcher, is stealthier, uses a page which initiates Windows Media Player and pushes an .ASX (Advanced Stream Redirector) file to it. These are XML files, similar to playlists and can contain references to other addresses. In this case, the URL it points to is currently inactive.
Microsoft has released an automated "Fix it" tool to temporarily address the issue, until a permanent patch is tested and delivered to users. The tool basically prevents the use of hcp:// links, which this exploit requires to work, system wide. However, this will also break legit functionality using such URLs.
You can follow the editor on Twitter @lconstantin