Microsoft Security Advisory (954157)
Security Enhancements for the Indeo Codec
Microsoft is announcing the availability of an update that provides security mitigations to the Indeo codec on supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003.
The Indeo codec on systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow code remote code execution when opening specially crafted media content. The update blocks the Indeo codec from being launched in Internet Explorer or Windows Media player. The update also removes the ability for this codec to be loaded when browsing the Internet with any other applications. By only allowing applications to use the Indeo codec when the media content is from the local system or from the intranet zone, and by preventing Internet Explorer and Windows Media Player from launching the codec at all, this update removes the most common remote attack vectors but still allows games or other applications that leverage the codec locally to continue to function.
The update is available through automatic updating and from the Microsoft Download Center. Customers who have automatic updating enabled will not need to take any action because this security update will be downloaded and installed automatically. For more information about this issue, including download links for this non-security update, see Microsoft Knowledge Base Article 954157.
The Indeo codec may be used and may be required by certain applications in multiple ways. The Indeo codec may be required when visiting legitimate Web sites, and in corporate environment line-of-business applications. This is likely to be a more common scenario for customers running older operating systems. Therefore, this update is being offered to customers on older operating systems automatically, but will still allow the codec to function in line-of-business application scenarios. On the other hand, customers who do not have a use for the codec may choose to take an additional step and deregister the codec completely. Deregistering the codec would remove all attack vectors that leverage the Indeo codec. See Microsoft Knowledge Base Article 954157 for directions on how to deregister the codec.
We encourage customers running supported editions of Microsoft Windows 2000, Windows XP, and Windows 2003 to review and install this update or to deregister the Indeo codec. By installing this update and deregistering the codec on these older operating systems, customers will have the same mitigations included in Windows Vista and Windows 7.
For more information about this issue, see the following references:
|Microsoft Knowledge Base Article||954157|
This advisory discusses the following software.
|Microsoft Windows 2000 Service Pack 4|
|Windows XP Service Pack 2 and Windows XP Service Pack 3|
|Windows XP Professional x64 Edition Service Pack 2|
|Windows Server 2003 Service Pack 2|
|Windows Server 2003 x64 Edition Service Pack 2|
|Windows Server 2003 with SP2 for Itanium-based Systems|
|Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2|
|Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2|
|Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2|
|Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2|
|Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2|
|Windows 7 for 32-bit Systems|
|Windows 7 for x64-based Systems|
|Windows Server 2008 R2 for x64-based Systems|
|Windows Server 2008 R2 for Itanium-based Systems|
Microsoft thanks the following for working with us to help protect customers:
- Paul Byrne of NGS Software for reporting the vulnerabilities in the Indeo codec
- An anonymous researcher, working with TippingPoint and the Zero Day Initiative, for reporting several vulnerabilities in the Indeo codec
- Bing Liu of Fortinet's FortiGuard Labs for reporting the vulnerabilities in the Indeo codec
- VeriSign iDefense Labs for reporting the vulnerabilities in the Indeo codec
- Dave Lenoe of Adobe for reporting the vulnerabilities in the Indeo codec
- Will Dormann of Cert/CC for reporting the vulnerabilities in the Indeo codec
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (December 8, 2009): Advisory published.