===================================================================== CERT-Renater Note d'Information No. 2009/VULN525 _____________________________________________________________________ DATE : 11/12/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Windows 2000, Windows XP, Windows Server 2003 running Indeo Codec. ====================================================================== http://www.microsoft.com/technet/security/advisory/954157.mspx ______________________________________________________________________ Microsoft Security Advisory (954157) Security Enhancements for the Indeo Codec Published: December 08, 2009 Version: 1.0 General Information Executive Summary Microsoft is announcing the availability of an update that provides security mitigations to the Indeo codec on supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003. The Indeo codec on systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow code remote code execution when opening specially crafted media content. The update blocks the Indeo codec from being launched in Internet Explorer or Windows Media player. The update also removes the ability for this codec to be loaded when browsing the Internet with any other applications. By only allowing applications to use the Indeo codec when the media content is from the local system or from the intranet zone, and by preventing Internet Explorer and Windows Media Player from launching the codec at all, this update removes the most common remote attack vectors but still allows games or other applications that leverage the codec locally to continue to function. The update is available through automatic updating and from the Microsoft Download Center. Customers who have automatic updating enabled will not need to take any action because this security update will be downloaded and installed automatically. For more information about this issue, including download links for this non-security update, see Microsoft Knowledge Base Article 954157. The Indeo codec may be used and may be required by certain applications in multiple ways. The Indeo codec may be required when visiting legitimate Web sites, and in corporate environment line-of-business applications. This is likely to be a more common scenario for customers running older operating systems. Therefore, this update is being offered to customers on older operating systems automatically, but will still allow the codec to function in line-of-business application scenarios. On the other hand, customers who do not have a use for the codec may choose to take an additional step and deregister the codec completely. Deregistering the codec would remove all attack vectors that leverage the Indeo codec. See Microsoft Knowledge Base Article 954157 for directions on how to deregister the codec. We encourage customers running supported editions of Microsoft Windows 2000, Windows XP, and Windows 2003 to review and install this update or to deregister the Indeo codec. By installing this update and deregistering the codec on these older operating systems, customers will have the same mitigations included in Windows Vista and Windows 7. Affected Software Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================