Updated, Dec. 10 at 5:22 p.m. EST
Researchers today began noticing increased activity on ports directed to media players, a strong indication that attackers are actively screening machines for a new codec vulnerability reported over the weekend.
The "highly critical" vulnerabilities, according to Secunia, are located in 3ivx Technologies' MPEG-4 codec, a required compatibility program used to create and play back MP4 files. The bugs are caused by boundary errors that can lead to stack-based buffer overflows via a maliciously crafted MP4 file.
Experts have seen proof-of-concept code impacting Windows Media Player 6.4, Media Player Classic 6.4.9 and Winamp 5.32 – all older versions of the popular multimedia applications. But other versions are likely vulnerable as well, Ben Greenbaum, senior research manager in Symantec Security Response, told SCMagazineUS.com today.
"We see people that are looking for machines that have already been exploited in this fashion or are trying to connect to machines that they think have been successfully exploited," he said.
Greenbaum said that attackers are opting to exploit bugs in media players and the plugins that increase their functionality as organizations and vendors get better at securing operating systems and applications.
"These attacks can be placed on trusted websites and immediately exposed to hundreds of thousands of potential victims," he said. "Lots of websites allow users to incorporate their own content. It's an easy way for attackers to get their exploit up to a site that's going to have a lot of eyes."
The goal of these attacks is usually to drop a secondary payload, such as a bot or trojan, he added.
As users await a patch, businesses should ensure they have policy in place that permits employees to connect to media players only for work purposes, Greenbaum said. In addition, organizations should be running an up-to-date anti-virus solution, an intrusion detection system and endpoint security management tools to help identify and remove vulnerable software.
A spokesperson for 3ivx, which would be responsible for the fix, did not return a request for comment.
A spokesman for AOL, which owns Winamp, said users should update to the latest version.
"We encourage everyone to upgrade to [version] 5.5, which is actually not vulnerable to the attack," AOL spokesman Kurt Patat told SCMagazineUS.com today. "That's people's best bet if they want to avoid the vulnerability."
Mark Miller, director of security response for Microsoft, advised Windows Media Player users to do the same.
"The affected code does not ship in box with any version of Windows or Windows Media Player," he said.
