Rather than patch, Microsoft blocks buggy code
In a rare move, declines to fix multiple flaws in Windows 2000, XP
Computerworld - Microsoft has decided to disable a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities, according to the company's security team.
Last Tuesday, the same day it issued six updates that patched 12 bugs, Microsoft released a security advisory that outlined the unusual move, which blocks the Indeo codec -- software that compresses and decompresses video data -- from being used by either Internet Explorer (IE) or Windows Media Player. The update also prevents other applications that access the Internet from loading the codec.
It's unclear exactly how many unpatched vulnerabilities the Indeo codec contains, but at least two security companies -- VeriSign iDefense and Fortinet -- issued their own Indeo bug alerts Tuesday. The vulnerability uncovered by iDefense was reported to Microsoft more than a year ago.
The update targets only the oldest editions of Microsoft's operating system: Windows 2000, Windows XP and Windows Server 2003. Windows Vista, Windows 7 and Windows Server 2008 already bar the Indeo codec from loading. Intel introduced the codec in 1992.
By blocking the codec from being used in IE and Windows Media Player, said Microsoft, it's protecting users against the known attack vectors, would rely on duping people into visiting a malicious site.
It's unusual for Microsoft to skip patching known vulnerabilities and instead disable -- "deprecate" in programming terminology -- bits of code. "This is a rare occurrence, as it is usually challenging to remove functionally from products that customers are currently using without affecting existing applications," a Microsoft spokesman acknowledged via e-mail Thursday.
Patching the codec wouldn't make much sense, said Richie Lai, director of vulnerability research at security company Qualys. "Microsoft already made these changes for Vista and Windows 7, and Indeo is rarely used anymore," Laid said. "I see this more of an attack surface reduction move."
Microsoft saw it that way, too. "In this case, we created defense-in-depth changes that reduce the attack surface and removed the functionality of this codec rather than addressing individual vulnerabilities because it provided more comprehensive protection for an older, less used codec," said the company's spokesman.
On-disk applications, such as games that still rely on the Indeo codec, will function normally, Microsoft added.
This isn't the first time that Microsoft has declined to patch valid vulnerabilities. Last September, Microsoft announced that fixing a flaw in Windows 2000 Server SP4's implementation of TCP/IP was not feasible because that would "require re-architecting a very significant amount of the Windows 2000 SP4 operating system," and doing so meant "that there would be no assurance that applications designed to run on Windows 2000 SP4 would continue to operate on the updated system."
"Maybe this is a new trend," said Jason Miller, the security and data team manager of patch management vendor Shavlik Technologies.
"We believe this approach should provide more security for customers than addressing single instances of vulnerabilities," the Microsoft spokesman said.
The codec-blocking update has been pushed to in Windows 2000, XP and Server 2003 users via Windows Update's automatic update mechanism.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts