SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#228561

Microsoft Indeo video codecs contain multiple vulnerabilities

Overview

The Indeo video codecs that are provided by Microsoft Windows contain multiple vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Indeo is a video codec that was developed by Intel and Microsoft. Multiple versions of the Indeo video codec are included with several versions of Windows, including Windows 2000, XP, and Server 2003. Each of the Indeo codecs that are provided with Microsoft Windows contains multiple vulnerabilities that can result in memory corruption. The vulnerable video codecs can be reached through a variety of APIs, including Video for Windows (VfW) or the more recent DirectShow API. Any application that uses these APIs may be vulnerable. For example, Windows Media Player, Internet Explorer, and Windows Explorer can be used as attack vectors.

II. Impact

By convincing a user to process specially-crafted Indeo video content, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This can occur by viewing a web page with Internet Explorer, opening a media file with Windows Media Player, or simply by selecting a media file in Windows Explorer.

III. Solution

Apply an update

This vulnerability is mitigated by the updates specified in Microsoft Security Advisory (954157), which have been distributed through Microsoft's automatic updates system. The updates are provided by Microsoft Support article KB955759, which sets the AppCompat values to prevent Internet Explorer and Windows Media Player from using the Indeo codecs, and Microsoft Support article KB976138, which updates quartz.dll on Windows 2000 systems to limit the zones that can use the Indeo codecs (Windows XP and later already have the zone restriction). Note that even after installing these updates, some attack vectors, such as Windows Explorer, will still be open.

Unregister the Indeo codecs

Microsoft Support article KB954157 provides a "Fix it" utility to automatically unregister the Indeo codec files. This will prevent the vulnerable codecs from being used by any application unless the codecs are re-registered. This mitigation is more comprehensive than the above updates; however, it may negatively impact applications that require an Indeo codec.

Systems Affected

VendorStatusDate NotifiedDate Updated
Intel CorporationVulnerable2009-06-222009-12-14
Microsoft CorporationVulnerable2009-06-122009-12-14

References

http://www.microsoft.com/technet/security/advisory/954157.mspx
http://support.microsoft.com/kb/954157
http://support.microsoft.com/kb/955759
http://support.microsoft.com/kb/976138
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=835

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:2009-12-08
Date First Published:2009-12-14
Date Last Updated:2010-04-16
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Severity Metric:9.56
Document Revision:16

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information
Get a PDF Reader