Rather than patch, Microsoft blocks buggy code
In a rare move, declines to fix multiple flaws in Windows 2000, XP
Computerworld - Microsoft has decided to disable a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities, according to the company's security team.
Last Tuesday, the same day it issued six updates that patched 12 bugs, Microsoft released a security advisory that outlined the unusual move, which blocks the Indeo codec -- software that compresses and decompresses video data -- from being used by either Internet Explorer (IE) or Windows Media Player. The update also prevents other applications that access the Internet from loading the codec.
It's unclear exactly how many unpatched vulnerabilities the Indeo codec contains, but at least two security companies -- VeriSign iDefense and Fortinet -- issued their own Indeo bug alerts Tuesday. The vulnerability uncovered by iDefense was reported to Microsoft more than a year ago.
The update targets only the oldest editions of Microsoft's operating system: Windows 2000, Windows XP and Windows Server 2003. Windows Vista, Windows 7 and Windows Server 2008 already bar the Indeo codec from loading. Intel introduced the codec in 1992.
By blocking the codec from being used in IE and Windows Media Player, said Microsoft, it's protecting users against the known attack vectors, would rely on duping people into visiting a malicious site.
It's unusual for Microsoft to skip patching known vulnerabilities and instead disable -- "deprecate" in programming terminology -- bits of code. "This is a rare occurrence, as it is usually challenging to remove functionally from products that customers are currently using without affecting existing applications," a Microsoft spokesman acknowledged via e-mail Thursday.
Patching the codec wouldn't make much sense, said Richie Lai, director of vulnerability research at security company Qualys. "Microsoft already made these changes for Vista and Windows 7, and Indeo is rarely used anymore," Laid said. "I see this more of an attack surface reduction move."
Microsoft saw it that way, too. "In this case, we created defense-in-depth changes that reduce the attack surface and removed the functionality of this codec rather than addressing individual vulnerabilities because it provided more comprehensive protection for an older, less used codec," said the company's spokesman.
On-disk applications, such as games that still rely on the Indeo codec, will function normally, Microsoft added.
This isn't the first time that Microsoft has declined to patch valid vulnerabilities. Last September, Microsoft announced that fixing a flaw in Windows 2000 Server SP4's implementation of TCP/IP was not feasible because that would "require re-architecting a very significant amount of the Windows 2000 SP4 operating system," and doing so meant "that there would be no assurance that applications designed to run on Windows 2000 SP4 would continue to operate on the updated system."
"Maybe this is a new trend," said Jason Miller, the security and data team manager of patch management vendor Shavlik Technologies.
"We believe this approach should provide more security for customers than addressing single instances of vulnerabilities," the Microsoft spokesman said.
The codec-blocking update has been pushed to in Windows 2000, XP and Server 2003 users via Windows Update's automatic update mechanism.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts