Microsoft Security Advisory (954157)

Security Enhancements for the Indeo Codec

Published: Tuesday, December 08, 2009

Version: 1.0

General Information

Executive Summary

Microsoft is announcing the availability of an update that provides security mitigations to the Indeo codec on supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003.

The Indeo codec on systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow code remote code execution when opening specially crafted media content. The update blocks the Indeo codec from being launched in Internet Explorer or Windows Media player. The update also removes the ability for this codec to be loaded when browsing the Internet with any other applications. By only allowing applications to use the Indeo codec when the media content is from the local system or from the intranet zone, and by preventing Internet Explorer and Windows Media Player from launching the codec at all, this update removes the most common remote attack vectors but still allows games or other applications that leverage the codec locally to continue to function.

The update is available through automatic updating and from the Microsoft Download Center. Customers who have automatic updating enabled will not need to take any action because this security update will be downloaded and installed automatically. For more information about this issue, including download links for this non-security update, see Microsoft Knowledge Base Article 954157.

The Indeo codec may be used and may be required by certain applications in multiple ways. The Indeo codec may be required when visiting legitimate Web sites, and in corporate environment line-of-business applications. This is likely to be a more common scenario for customers running older operating systems. Therefore, this update is being offered to customers on older operating systems automatically, but will still allow the codec to function in line-of-business application scenarios. On the other hand, customers who do not have a use for the codec may choose to take an additional step and deregister the codec completely. Deregistering the codec would remove all attack vectors that leverage the Indeo codec. See Microsoft Knowledge Base Article 954157 for directions on how to deregister the codec.

We encourage customers running supported editions of Microsoft Windows 2000, Windows XP, and Windows 2003 to review and install this update or to deregister the Indeo codec. By installing this update and deregistering the codec on these older operating systems, customers will have the same mitigations included in Windows Vista and Windows 7.

Advisory Details

Issue References

For more information about this issue, see the following references:

References	Identification
Microsoft Knowledge Base Article	954157

Affected and Non-Affected Software

This advisory discusses the following software.


Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Non-Affected Software
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems

Frequently Asked Questions

What is the scope of the advisory?
This advisory provides notification that a defense-in-depth update described in this advisory is available through automatic updating and is also described in Microsoft Knowledge Base Article 954157. This update affects the software listed in the Affected Software table.

What is the Indeo Codec?
The Indeo Codec is a codec that decompresses digital media files for use in applications like Windows Media Player. For more information on codecs, see Using codecs.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site.

It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

Another way that an attacker could exploit this vulnerability is to get specially crafted media content onto a user's system that leverages the Indeo codec.

Is there a change in user experience after this update is installed?
After the updates discussed in this article are installed, users may notice that media content from Web sites may no longer be loaded in Internet Explorer or in Windows Media Player. Applications or games that use this codec from content located on the local system will continue to work.

How do I disable the Indeo codec?
It is possible to disable this codec by deregistering the codec. Deregistering the codec will prevent any application or media content from using this codec. For directions on how to deregister the codec, see Microsoft Knowledge Base Article 954157.

How do I re-enable the use of this codec after this update is installed?
It is possible to re-enable the functionality of the Indeo codec after this update is installed. Re-enabling the codec will expose users to the risk of a remote code execution attack and should only be considered if the need for the functionality of the codec outweighs the risk of exposure. For more information on how to re-enable the codec functionality, see Microsoft Knowledge Base Article 954157.

Why are there two parts to the update associated with this advisory?
There are two parts to this update that help mitigate the risks associated with the Indeo codec. One is the update to Quartz.dll, which is the primary binary used by Windows Media Player. The second is the update that is provided by Application Compatibility Shim technology. The Media player update prevents applications from opening media content that leverages the Indeo codec from playing in the Internet zone, while the Application Compatibility Shim technology update stops Internet Explorer and Windows Media Player from loading media content that uses the Indeo codec.

Why is this update not associated with a Security Bulletin?
This update is not associated with a security bulletin because it does not remediate specific vulnerabilities, but instead provides additional defense-in-depth mitigations to bring older operating systems closer to the same level of security protection as Windows Vista and Windows 7. Customers should apply this update to mitigate the threat in common scenarios, and evaluate deregistering the Indeo codec to remove access to the codec in any scenario.

Why is Microsoft not fixing specific vulnerabilities in this update?
The Indeo codec is an older codec that is known to have several security vulnerabilities. Instead of fixing specific vulnerabilities, Microsoft is creating defense-in-depth changes that reduce the attack surface all together for known vulnerabilities, and future similar vulnerabilities.

Mitigating Factors

Workarounds

Additional Suggested Actions

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Paul Byrne of NGS Software for reporting the vulnerabilities in the Indeo codec
An anonymous researcher, working with TippingPoint and the Zero Day Initiative, for reporting several vulnerabilities in the Indeo codec
Bing Liu of Fortinet's FortiGuard Labs for reporting the vulnerabilities in the Indeo codec
VeriSign iDefense Labs for reporting the vulnerabilities in the Indeo codec
Dave Lenoe of Adobe for reporting the vulnerabilities in the Indeo codec
Will Dormann of Cert/CC for reporting the vulnerabilities in the Indeo codec

Feedback

You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.

Support

Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (December 8, 2009): Advisory published.