The flaw reportedly gives hackers the means to launch the player automatically in infected machines. Further attacks, including contact book hijacking and access to pertinent data relating to identity theft, also can occur, the French Security Incident Response Team announced this week.
Ross Brown, COO of network security firm eEye Digital Security, the company that originally discovered the flaw Tuesday, said the attacks mark a growing trend of hackers trying to illegally gain access to a computer by hitting consumer applications like the Windows Media Player, rather than targeting the operating system itself.
“It’s becoming increasingly common to see focused and targeted attacks that do not require the use of a virus or worm to be successful, as these attacks use social engineering to fool users into having spyware or malware unknowingly installed on their systems,” Brown said in a release. “Secondly, these malicious attackers are circumventing network-level security technologies by using file-format vulnerabilities [like the bitmap attack] to exploit users.”
Brown said users of Windows Media Player versions 7.1 through 10 must install Microsoft's MS06-005 patch to be protected.
The patch also claims to protect users from a second Windows Media Player flaw discovered last week that tricks Internet Explorer into opening corrupted files.
The French Security Incident Response Team has listed both flaws as “critical,” the highest ranking given to malicious attacks.
