Symantec Security Response is aware of in-the-wild malware exploiting the Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing Remote Buffer Overflow Vulnerability (BID 51292). Microsoft has already issued a patch against this vulnerability in the monthly patch release this January. Applying the patch is strongly recommended.
There are several components involved in this live attack:
- a.exe
- baby.mid
- i.js
- mp.html
Symantec products detect mp.html and i.js as Trojan.Malscript. The vulnerable baby.mid file is detected as Trojan Horse and the end-result file, a.exe, is flagged as Downloader.Darkmegi. The Downloader.Darkmegi detection also covers a couple of dropped files: com32.dll and com32.sys.
On the IPS side, i.js is blocked by the Web Attack: Malicious JavaScript signature while the initial exploit attempt is blocked by the Web Attack: Malicious JavaScript Heap Spray Generic signature.
Related stories:
- Exploit for June MS Tuesday Vulnerability in the Wild
- 0-Day Attack in the Wild for Adobe Flash, Reader, and Acrobat
- Zero-day Attack in the Wild for Adobe Flash, Reader, and Acrobat
- Malware Leveraging MIDI Remote Code Execution Vulnerability Found
- Limited Firefox Zero-Day Attack in the Wild
Incoming search terms for the article:
baby mid mp html, exploit baby mid, 0day wild, midi exploit, midi vulnerability
