Hi malware fighters,
Microsoft Indeo fix NOT via Automatic Updates?!
It is a strange thing that Microsoft during last patch Tuesday did not classify the following critical vulnerability for an automatic update (remote code execution e.g. by visiting a malcoded website) , what is a serious thing is that this update has not been spread through automatic updates, well as far as PC's with XP-SP3 are concerned.
We mean here an "Update for Windows XP (KB955759), according to Microsoft Update a High-priority update, and
http://support.microsoft.com/kb/954157 comments found here:
Microsoft Security Advisory: Vulnerabilities in the Indeo codec could allow remote code execution: December 8, 2009
[...]
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/advisory/954157.mspxWell in a nutshell, this all sounds serious enough. In
http://www.microsoft.com/technet/security/advisory/954157.mspx to which is being linked, this is dealt with rather dubious:
Microsoft Security Advisory (954157)
Security Enhancements for the Indeo Codec
Published: December 08, 2009
Version: 1.0
[...]
The update is available through automatic updating and from the Microsoft Download Center.
As US CERT (zie
http://www.kb.cert.org/vuls/id/228561) comments that this patch should have been spread through automatic updates. However reality is that it was not, at least on XP SP3 where automatic updates is on.
Furthermore this is not a genuine patch, but just killing (de-registrering) the Indeo Codec. It seems however necessary as a system change, that will not be performed on a lot of PCs, while the owners of these machines have automatic updates installed and working, they think they are secure and they are not.
Then we find in
http://www.microsoft.com/technet/security/advisory/954157.mspx amongst other things
Why is this update not associated with a Security Bulletin?
This update is not associated with a security bulletin because it does not remediate specific vulnerabilities, but instead provides additional defense-in-depth mitigations to bring older operating systems closer to the same level of security protection as Windows Vista and Windows 7. Customers should apply this update to mitigate the threat in common scenarios, and evaluate deregistering the Indeo codec to remove access to the codec in any scenario.
Why is Microsoft not fixing specific vulnerabilities in this update?
The Indeo codec is an older codec that is known to have several security vulnerabilities. Instead of fixing specific vulnerabilities, Microsoft is creating defense-in-depth changes that reduce the attack surface all together for known vulnerabilities, and future similar vulnerabilities.
Well aren't we all happy!?! That it is not some obscure hard to trace problem, is shown by MS thanking 6 individuals for reporting about the vulnerabilities in the Indeo Codec. POC exploits are available now(Re:
http://www.vupen.com/exploits/Microsoft_Windows_Indeo_IV32_Codec_Memory_Corruption_PoC_KB954157_3440271.php ).
Did others also notice that these updates KB955759 aka KB954157 (or what the patch may be called) was not installed automattically on PCs with update automatic on? And what about Vista and Windows7?
polonus
P.S XP SP3 users download the patch:
http://download.microsoft.com/download/f/4/f/f4f91ded-abe3-4c9b-9cef-dd12151103c1/windowsxp-kb955759-x86-enu.exe