In June, the Italian surveillance firm Hacking Team suffered a dramatic data breach, attackers leaked internal data of the company, including email messages and source code of the zero-day exploits used by the firm. This week Microsoft published 12 security bulletins related to 56 vulnerabilities affecting a number of products including the new Edge browser, Internet Explorer, Windows, Office, Skype for Business, .NET Framework and some of its other software products.
Among the fixed vulnerabilities, there is also the CVE-2015-2509 that affected the Windows Media Center and could allow to gain the same user rights as the current user on the target machine.
“The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
Microsoft also added that despite the public disclosure of the zero-day, it “had not received any information to indicate that this vulnerability had been publicly used to attack customers.”
However, the Hacking Team’s dump includes a working exploit for this flaw that is included in the surveillance software commercialized by the Italian firm.
Following the disclosure online of the Hacking Team Dump, security firms discovered the code for three zero-day in Flash Player, two in Windows and one in Internet Explorer. APTs groups and criminal crews immediately started adopting them in their campaigns.
According to experts at Trend Micro, who uncovered the Windows Media Center vulnerability fixed with last updates, the Hacking Team’ dump contain also a working exploit for this flaw.
The exploit appears quite recent because according to an internal email of the surveillance firms, it had been tested against Windows Media Center running on Windows 8.1, 8 and 7 with the April 2015 security updates installed.
“One of the important updates addresses a vulnerability found in the Windows Media Center (CVE-2015-2509). This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers discovered the exploit and subsequently reported their findings to Microsoft. Based on information in the emails, the exploit works perfectly with the latest version of Windows Media Center.” states a blog post published by Trend Micro.
The exploit relies on a specifically crafted Media Center link (.mcl) file that is used as attack vector. The file could be delivered in targeted attacks in various attack scenarios such as a spear phishing email, download from a website, via instant messaging applications.
Kenney Lu, Threats Analyst from Thrend Micro explained that it is quite easily to create the malicious file by using a common text editor like Notepad.
“It should be noted that the Windows Media Center file extension is .MCL. We found that it is easy to create .MCL files using Notepad. For example, we created a .MCL file that contained instructions that will launch the computer’s calculator. We have successfully reproduced and sent the related POC file to Microsoft, which they have addressed in this month’s Patch Tuesday.” explained Lu.
Due to the availability online of the Windows Media Center exploit since the Hacking Team hack, cybercriminals might start using it in targeted attacks, Trend Micro suggest users avoid opening any .MCL file.
“The leaked data has been made available for over a month now, following the Hacking Team leaks, and cybercriminals may use this exploit for future attacks. We recommend users avoid opening any files with the .MCL file extension, especially from unverified sources.” states Trend Micro.
(Security Affairs – Hacking Team exploits, Windows Media Center )