Critical Indeo fix not in last Tuesday's automatic updates!

[polonus]

Hi malware fighters,

Microsoft Indeo fix NOT via Automatic Updates?!

It is a strange thing that Microsoft during last patch Tuesday did not classify the following critical vulnerability for an automatic update (remote code execution e.g. by visiting a malcoded website) , what is a serious thing is that this update has not been spread through automatic updates, well as far as PC's with XP-SP3 are concerned.

We mean here an "Update for Windows XP (KB955759), according to Microsoft Update a High-priority update, and http://support.microsoft.com/kb/954157 comments found here:
Microsoft Security Advisory: Vulnerabilities in the Indeo codec could allow remote code execution: December 8, 2009
[...]
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/advisory/954157.mspx
Well in a nutshell, this all sounds serious enough. In http://www.microsoft.com/technet/security/advisory/954157.mspx to which is being linked, this is dealt with rather dubious:
Microsoft Security Advisory (954157)
Security Enhancements for the Indeo Codec
Published: December 08, 2009
Version: 1.0
[...]
The update is available through automatic updating and from the Microsoft Download Center.
As US CERT (zie http://www.kb.cert.org/vuls/id/228561) comments that this patch should have been spread through automatic updates. However reality is that it was not, at least on XP SP3 where automatic updates is on.

Furthermore this is not a genuine patch, but just killing (de-registrering) the Indeo Codec. It seems however necessary as a system change, that will not be performed on a lot of PCs, while the owners of these machines have automatic updates installed and working, they think they are secure and they are not.

Then we find in http://www.microsoft.com/technet/security/advisory/954157.mspx amongst other things
Why is this update not associated with a Security Bulletin?
This update is not associated with a security bulletin because it does not remediate specific vulnerabilities, but instead provides additional defense-in-depth mitigations to bring older operating systems closer to the same level of security protection as Windows Vista and Windows 7. Customers should apply this update to mitigate the threat in common scenarios, and evaluate deregistering the Indeo codec to remove access to the codec in any scenario.

Why is Microsoft not fixing specific vulnerabilities in this update?
The Indeo codec is an older codec that is known to have several security vulnerabilities. Instead of fixing specific vulnerabilities, Microsoft is creating defense-in-depth changes that reduce the attack surface all together for known vulnerabilities, and future similar vulnerabilities.

Well aren't we all happy!?! That it is not some obscure hard to trace problem, is shown by MS thanking 6 individuals for reporting about the vulnerabilities in the Indeo Codec. POC exploits are available now(Re: http://www.vupen.com/exploits/Microsoft_Windows_Indeo_IV32_Codec_Memory_Corruption_PoC_KB954157_3440271.php ).

Did others also notice that these updates KB955759 aka KB954157 (or what the patch may be called) was not installed automattically on PCs with update automatic on? And what about Vista and Windows7?

polonus

P.S XP SP3 users download the patch: http://download.microsoft.com/download/f/4/f/f4f91ded-abe3-4c9b-9cef-dd12151103c1/windowsxp-kb955759-x86-enu.exe

[polonus]

Hi malware fighters,

Here is some reply I got in another forum:

I thought that MS's "fix" was by not fixing it at all, but rather to disable the Indeo codec.
And that is probably not a bad or the wrong thing to do.

By doing so, they may break things for a minority of users.
And I suspect that whatever it is that they're now offering as a "fix" is only to appease those users.

Kind of link enabling SSL2 in your browser. Any modern browser would have SSL2 disabled. The framework is still there, it can still be used, but by doing so, you put yourself at risk, because SSL2 is broken (insecure). So the prudent course of action is to disable it. (Or look at it like the prudent thing to do with JavaScript is to disable it.

So there might be a reason for why it has been presented as it was, just wanted to report it here, so that our forum users were informed on this issue - well that is also part of our mission here,

polonus

[DavidR]

Well if they have no intention of fixing the security holes in this old codec, then they shouldn't just let this hide in a dusty corner that no one can find.

My way of looking at it is if they have no intention of fixing the problem then it should most certainly be offered in the windows updates, they can choose to do that in the same way they have for other non-security related foistware that they have pushed out in the past, WGA as the point in question and others no doubt.

For me I rarely play videos, much less through IE which I avoid like the plague and I don't have WMP installed either, so for me using the Fix it button on your first link for Update for Windows XP (KB955759), is a no brainer. This downloads MicrosoftFixit50326.msi which presumably does all the donkey work unregistering the various files mentioned, etc.

[polonus]

Hi malware fighters,

I received the following info:

Not every machine will have the Indeo codec installed, IIUC. For example, my older XP SP2 Home machine did not (or had it deleted). The newer one, with XP SP 2 Pro, did, and IIRC, Auto-Update detected that and installed the correction.

I don't know about SP3, as my OEM strongly recommends against installing SP3 and does *not* support it. Perhaps this is an SP3-specific issue? link: http://forums.informaction.com/viewtopic.php?f=19&t=3417#p14552

Tom T. is a very apt security aware poster in that specific forum and I value his reponse particularly,

polonus