Microsoft Indeo fix NOT via Automatic Updates?!

[luntrus]

Microsoft Indeo fix NOT via Automatic Updates?!

It is a strange thing that Microsoft during last patch Tuesday did not classify the following critical vulnerability for an automatic update (remote code execution e.g. by visiting a malcoded website) , what is a serious thing is that this update has not been spread through automatic updates, well as far as PC's with XP-SP3 are concerned.

We mean here an "Update for Windows XP (KB955759), according to Microsoft Update a High-priority update, and http://support.microsoft.com/kb/954157 comments found here:
Microsoft Security Advisory: Vulnerabilities in the Indeo codec could allow remote code execution: December 8, 2009
[...]
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/securi ... 54157.mspx
Well in a nutshell, this all sounds serious enough. In http://www.microsoft.com/technet/securi ... 54157.mspx to which is being linked, this is dealt with rather dubious:
Microsoft Security Advisory (954157)
Security Enhancements for the Indeo Codec
Published: December 08, 2009
Version: 1.0
[...]
The update is available through automatic updating and from the Microsoft Download Center.
As US CERT (zie http://www.kb.cert.org/vuls/id/228561) comments that this patch should have been spread through automatic updates. However reality is that it was not, at least on XP SP3 where automatic updates is on.

Furthermore this is not a genuine patch, but just killing (de-registrering) the Indeo Codec. It seems however necessary as a system change, that will not be performed on a lot of PCs, while the owners of these machines have automatic updates installed and working, they think they are secure and they are not.

Then we find in http://www.microsoft.com/technet/securi ... 54157.mspx amongst other things
Why is this update not associated with a Security Bulletin?
This update is not associated with a security bulletin because it does not remediate specific vulnerabilities, but instead provides additional defense-in-depth mitigations to bring older operating systems closer to the same level of security protection as Windows Vista and Windows 7. Customers should apply this update to mitigate the threat in common scenarios, and evaluate deregistering the Indeo codec to remove access to the codec in any scenario.

Why is Microsoft not fixing specific vulnerabilities in this update?
The Indeo codec is an older codec that is known to have several security vulnerabilities. Instead of fixing specific vulnerabilities, Microsoft is creating defense-in-depth changes that reduce the attack surface all together for known vulnerabilities, and future similar vulnerabilities.

Well aren't we all happy!?! That it is not some obscure hard to trace problem, is shown by MS thanking 6 individuals for reporting about the vulnerabilities in the Indeo Codec. POC exploits are available now(Re: http://www.vupen.com/exploits/Microsoft ... 440271.php ).

Did others also notice that these updates KB955759 aka KB954157 (or what the patch may be called) was not installed automattically on PCs with update automatic on? And what about Vista and Windows7?

polonus

P.S XP SP3 users download the patch: http://download.microsoft.com/download/ ... 86-enu.exe

[therube]

(Without having read your post/links ...)

I thought that MS's "fix" was by not fixing it at all, but rather to disable the Indeo codec.
And that is probably not a bad or the wrong thing to do.

By doing so, they may break things for a minority of users.
And I suspect that whatever it is that they're now offering as a "fix" is only to appease those users.


Kind of link enabling SSL2 in your browser. Any modern browser would have SSL2 disabled. The framework is still there, it can still be used, but by doing so, you put yourself at risk, because SSL2 is broken (insecure). So the prudent course of action is to disable it. (Or look at it like the prudent thing to do with JavaScript is to disable it. There's probably even an extension to allowed you to selectively enable it with relative ease .)

[Tom T.]

Not every machine will have the Indeo codec installed, IIUC. For example, my older XP SP2 Home machine did not (or had it deleted). The newer one, with XP SP 2 Pro, did, and IIRC, Auto-Update detected that and installed the correction.

I don't know about SP3, as my OEM strongly recommends against installing SP3 and does *not* support it. Perhaps this is an SP3-specific issue?

Anyway, the SP 2 Pro machine with Indeo codec did indeed get the update, 955759.