Release DateMar 10, 2010 |
Severityhigh |
ImpactThe vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker or Microsoft Producer project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
DescriptionWindows Movie Maker is a video creating/editing software application, included in Microsoft Windows Me, XP, and Vista. It contains features such as effects, transitions, titles/credits, audio track, timeline narration, and Auto Movie.In March 2010, Damian Frizza of Core Security Technologies reported a remote code execution vulnerability in Microsoft Windows Movie Maker and Producer, which is due to a boundary condition error. When handling the MSWMM file, the function IsValidWMToolsStream in DirectShow tries to use the same pointer "pbuffer" twice with 2 different sizes, in the second time, it copyies the data from MSWMM file to pbuffer without reallocation before reused it. If the size of the data read from the file is bigger than the initial internal value, it cause a buffer overrun and lead the process jump to unspecified address, then lead the application result in memory corruption or remote code execution. Note: The same exploit flow exists in Microsoft Producer. |
Affected ProductsWindows XP Service Pack 2 and Windows XP Service Pack 3 Movie Maker 2.1Windows XP Professional x64 Edition Service Pack 2 Movie Maker 2.1 Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Movie Maker 6.0 Movie Maker 2.6 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Movie Maker 6.0 Movie Maker 2.6 Microsoft Producer 2003 |
Recommended ActionsFor FortiGate users, turning on the IPS signature MS.DirectShow.biClrUsed.Remote.Code.Execution can prevent exploitation of this vulnerability.Apply the patch from vendor: http://technet.microsoft.com/en-us/security/bulletin/MS10-016 Workaround: 1) Remove the Movie Maker .MSWMM file association Remote it with following steps: 1.1) Click Start, click Run, type regedit, and then click OK. 1.2) Expand HKEY_CLASSES_ROOT, click on .MSWMM, and then click the File menu and select Export. 1.3) In the Export Registry File dialog box, type MSWMM file association registry backup.reg and click Save. This will create a backup of this registry key in the 'My Documents' folder by default. 1.4) Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry value, click Yes. 2) Remove the Microsoft Producer 2003 .MSProducer, .MSProducerZ, and .MSProducerBF file associations To remove the .MSProducer, .MSProducerZ, and .MSProducerBF file associations, follow these steps: 2.1) Click Start, click Run, type regedit, and then click OK. 2.2) Expand HKEY_CLASSES_ROOT, click on .MSProducer, and then click the File menu and select Export. 2.3) In the Export Registry File dialog box, type MSProducerHKCR file association registry backup.reg and click Save. This will create a backup of this registry key in the 'My Documents' folder by default. 2.4) Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry value, click Yes. 2.5) Repeat steps 2-4 for the .MSProducerZ and .MSProducerBF file associations. 2.6) Expand HKEY_CURRENT_USER, then Software, then Microsoft, then Windows, then CurrentVersion, then Explorer, and then FileExts. 2.7) Click .MSProducer, click File, and then click Export. 2.8) In the Export Registry File dialog box, type MSProducer HKCU file association registry backup.reg, and then click Save. This will create a backup of this registry key in the 'My Documents' folder by default. 2.9) Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry value, click Yes. 2.10) Repeat steps 6-9 for the .MSProducerZ and .MSProducerBF file associations. 3) Disable Microsoft Producer 2003 by restricting access For Windows XP for 32-bit Systems, run the following command from a command prompt: cacls "%programfiles%\microsoft producer 2\producer.exe" /E /P everyone:N For Windows XP for x64-based Systems, run the following command from a command prompt: cacls "%programfiles(x86)%\microsoft producer 2\producer.exe" /E /P everyone:N 4) Prevent Microsoft Producer 2003 from being installed For Windows XP for 32-bit Systems, run the following commands from a command prompt: md "%programfiles%\microsoft producer 2" echo Placeholder > "%programfiles%\microsoft producer 2\producer.exe" cacls "%programfiles%\microsoft producer 2\producer.exe" /E /P everyone:N For Windows XP for x64-based Systems, run the following commands from a command prompt: md "%programfiles(x86)%\microsoft producer 2" echo Placeholder > "%programfiles(x86)%\microsoft producer 2\producer.exe" cacls "%programfiles(x86)%\microsoft producer 2\producer.exe" /E /P everyone:N 5) Uninstall Microsoft Producer 2003 Use Add/Remove Programs to uninstall Microsoft Producer 2003. |
Coverage IPS
VCM |
Common Vulnerabilities and Exposures (CVE)CVE-2010-0265 |
Reference/shttp://www.microsoft.com/technet/security/Bulletin/ms10-016.mspx (MS-ID) |
