CVE-2015-6131
published 2015-12-09CVE-2015-6131: Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.54%
98.0th percentile
Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows remote attackers to execute arbitrary code via a crafted .mcl file, aka "Media Center Library Parsing RCE Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Detect .mcl files that reference themselves or external URLs as HTML pages, which causes parsing inside Windows Media Center in the local machine IE security zone, enabling arbitrary code execution. ↗
- →Monitor for ADODB.Recordset or ADODB.Connection ActiveX object instantiation from within Windows Media Center (ehshell.exe) process context, particularly rs.Save() calls writing to user Startup folders. ↗
- →Alert on files with .mcl extension being opened or delivered via email/web, especially those containing script tags or HTML referencing external or self URLs. ↗
- →Monitor SMB traffic for credential/username leakage, as the exploit instructs attackers to sniff SMB traffic to retrieve the remote Windows username needed to construct the correct Startup path for payload delivery. ↗
- →Detect Wscript.Shell ActiveX object instantiation spawning child processes from within Media Center or HTA (mshta.exe) context, as the payload uses Wscript.Shell to run arbitrary executables. ↗
- →Monitor for .hta files written to any user's Startup folder (AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/), which is the persistence mechanism used by this exploit. ↗
- ·The IP address 192.168.10.10 used in the exploit is a private/PoC address and should not be treated as a threat-actor infrastructure IOC; attackers will substitute their own server address. ↗
- ·The Windows username embedded in the Startup path ('windowsuser') is a placeholder; real attacks must enumerate the victim's actual username (via SMB sniffing per the exploit instructions) to construct the correct payload drop path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Talos
Microsoft Patch Tuesday - December 2015
blogs_talos·2015-12-08·CVSS 5.0
[MEDIUM] Microsoft Patch Tuesday - December 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.
### Bulletins Rated Critical MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.
MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulletin respectively. In total, 34 vulnerabilit
Talos
Microsoft Patch Tuesday - December 2015
blogs_talos·2015-12-08·CVSS 5.0
[MEDIUM] Microsoft Patch Tuesday - December 2015
## Microsoft Patch Tuesday - December 2015
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.
## Bulletins Rated Critical MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.
MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulle
http://www.securitytracker.com/id/1034335https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-134https://www.exploit-db.com/exploits/38911/http://www.securitytracker.com/id/1034335https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-134https://www.exploit-db.com/exploits/38911/
2015-12-09
Published