Microsoft Opts to Block, Not Patch, Vulnerable Codec

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Buried within Microsoft's latest batch of bug patches this week was a Security Advisory regarding vulnerabilities in an old Intel video codec (coder/decoder). To be sure, the holes are serious, but Microsoft's way of addressing problems with this particular codec is out of the ordinary.

Rather than patching the 17-year-old software, known as the Indeo codec, Microsoft is instead telling affected users to disable it with either an update or with workarounds.

"Instead of fixing specific vulnerabilities, Microsoft is creating defense-in-depth changes that reduce the attack surface all together for known vulnerabilities, and future similar vulnerabilities," Microsoft's Security Advisory said.

The flaw is a potentially dangerous one: The security holes can be exploited if a user happens to visit a site that contains boobytrapped content that calls for the Indeo codec, and can result in complete compromise of the user's system.

And while the codec's technology dates to the days of Windows 3.1, some applications do still require use of the technology -- which means it could be found on the many modern systems running pre-Vista editions of Windows.

Although Microsoft has not divulged how many holes are known in the codec, VeriSign's iDefense Labs claims to have alerted Microsoft to at least one of the holes as early as last June.

Unusual approach

The advisory in which Microsoft provided its workaround was among three that the company included with its usual mix of Security Bulletins during the December installment of its regular monthly "Patch Tuesday" roundup of fixes, released earlier this week.

Ordinarily, Microsoft reserves Security Advisories for issuing warnings regarding potential vulnerabilities, or flaws for which it doesn't yet have patches. It also typically issues them in response to incidents occurring between Patch Tuesday releases. Microsoft Security Bulletins, in contrast, are normally released on Patch Tuesday and always contain fixes for known bugs.

Rarely, however, does Microsoft ever say out loud that it will not fix an acknowledged security hole or holes, as it has in this case.

Almost as unusual is the fact that the Security Advisory came with an update that blocks the codec from functioning when it's run on the at-risk operating systems, which include Windows 2000, Windows XP, and Windows Server 2003. (Meanwhile, Windows Vista, Windows Server 2008, and Windows 7 are not at risk because the codec is de-registered on those systems.)

Closing the vulnerability

On machines running the affected OSes, the update keeps the codec from being launched in either Internet Explorer or Windows Media Player.

"By only allowing applications to use the Indeo codec when the media content is from the local system or from the intranet zone, and by preventing Internet Explorer and Windows Media Player from launching the codec at all, this update removes the most common remote attack vectors but still allows games or other applications that leverage the codec locally to continue to function," the advisory said.

Alternatively, users can unregister the codec in the Windows registry. That will completely disable the codec from being used -- including for any corporate applications that might need it, the advisory cautioned.

"In this case, we created defense-in-depth changes that reduce the attack surface and removed the functionality of this codec rather than addressing individual vulnerabilities because it provided more comprehensive protection for an older, less used codec," a Microsoft spokesperson said in an e-mail. "This solution also allows existing Line-of-Business applications to continue functioning if the customer desired."

Stuart Johnston is a contributing writer to InternetNews.com, based in Bellevue, Wash.