As a member of MAPP K7 is privy to advance information about certain vulnerabilities and exploits. Last week, with the aid of the MAPP bulletin, we released detection [ Exploit ( 700000031 )] for MIDI files which attempt to exploit vulnerability CVE-2012-0003, described as critical by Microsoft.
MIDI is an old-fashioned media file format which theoretically reduces the attack surface for the exploit since the use of these files is uncommon in the modern day. However, it might still be possible for an attacker to lure victims to a website or a document where an embedded malicious MIDI file is rendered automatically, triggering the vulnerability. We have not seen any reports of Exploit ( 700000031 ) in the wild thus far.
We, at K7TCL, will continue to focus on timely detection of high-risk exploits. It is important to target detection based on the risk factor since the incorporation of detection for exploit files can be non-trivial due to the fact that many exploit files, by their very nature, tend to have relatively obscure file formats. Heuristic detection of such files requires non-standard file parsing which entails possible consequences for scanning performance and stability, and, perforce, there is an increased risk of misdetections as well.
In terms of common “in the wild” threats the Carnivore feature in K7 products provides generic protection against active attempts to exploit several popular applications, such as certain browsers and document readers, not necessarily from Microsoft.
Exploitation of vulnerabilities, especially in standard Windows OS applications, is a clear and present danger which ought to be taken very seriously. To counter this threat, there is no substitute for applying the relevant security updates, and we strongly recommend that this is done on a regular basis. The provision of detection for exploits, whether via Carnivore or via real-time scanning, is seen simply as an additional safety net, and not as a substitute for applying patches. Note, K7 products also have the functionality to identify certain vulnerable applications extant on the computer so that the relevant Microsoft patch may be applied as appropriate.
Samir Mody
Senior Manager, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
https://labs.k7computing.com/feed/