Microsoft Security Advisory: Vulnerabilities in the Indeo codec could allow remote code execution: December 8, 2009

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
INTRODUCTION
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
MORE INFORMATION

About the Microsoft in-box Indeo codec

There are multiple ways that the Indeo codec may be used, and certain applications may require the codec. The Indeo codec may be required when you visit legitimate Web sites and in corporate environment line-of-business applications. This may be a more common scenario for customers who are running older Windows operating systems. On the other hand, customers who do not have to use the codec may want to take an additional step and unregister the codec completely. This article covers two ways that the codec can be unregistered: by using the Fix-it option provided below or by manually unregistering the codec.

Unregister the Microsoft in-box Indeo codec by using the Fix-it option

Click the Fix this problem button in the first column of the following table to unregister the Indeo codec on your computer. After you do this, the codec cannot be used by any application. This tool both unregisters the codec binaries from the system and adds ACLs to prevent their use. A second Fix-it is available that reverses this action if you decide to do so in the future.

Use this Fix-it button to unregister the Indeo codec files automaticallyUse this Fix-it button to re-register the Indeo codec files automatically


Unregister the Microsoft in-box Indeo codec manually

There are multiple files that are associated with the Microsoft in-box Indeo codec. Depending on the Windows operating system, not all the files that are listed here may be present on the computer. Users who want to manually unregister the Microsoft in-box Indeo codec files must verify that these files exist on the computer, locate the directory in which the files exist, and then run the sample script that is included with this article.

To remove the Microsoft in-box codec from the system manually, we suggest renaming the Microsoft in-box codec binaries to something like ‘binaryname.old’. This allows you to reverse the process in the future should you ever want to regain Indeo functionality. This article includes a sample script that can be used to do this in your environment in a more automated manner.

Note Unregistering Indeo codecs from the system may cause application compatibility issues if you try to play content that requires these codecs.

Note This table lists the binary name and the version of the Microsoft Indeo in-box codecs that you can unregister. It does not include any third-party codecs.
Windows 2000Version
ir32_32.dll3.24.15.3
ir41_32.ax 4.51.16.3
ir41_qc.dll 4.30.62.2
ir41_qcx.dll 4.30.64.1
ir50_32.dll 5.2562.15.55
ir50_qc.dll 5.0.63.48
ir50_qcx.dll 5.0.64.48
ivfsrc.ax 5.10.2.51
Windows Server 2003 or Windows XP, x64-based versionVersion
ir32_32.dll3.24.15.3
ir41_32.ax 4.51.16.3
ir41_qc.dll 4.30.62.2
ir41_qcx.dll 4.30.64.1
ir50_32.dll 5.2562.15.55
ir50_qc.dll 5.0.63.48
ir50_qcx.dll 5.0.64.48
Windows XPVersion
ir32_32.dll3.24.15.3
ir41_32.ax 4.51.16.3
ir41_qc.dll 4.30.62.2
ir41_qcx.dll 4.30.64.1
ir50_32.dll 5.2562.15.55
ir50_qc.dll 5.0.63.48
ir50_qcx.dll 5.0.64.48

Sample script to remove the Indeo codec
rem - list of indeo filesrem rem ir32_32.dllrem ir41_32.ax rem ir41_qc.dll rem ir41_qcx.dll rem ir50_32.dll rem ir50_qc.dll rem ir50_qcx.dll rem ivfsrc.ax rem backup operations  32-bitcopy %windir%\system32\ir32_32.dll %windir%\system32\ir32_32.dll.oldcopy %windir%\system32\dllcache\ir32_32.dll %windir%\system32\dllcache\ir32_32.dll.oldcopy %windir%\system32\ir41_32.ax %windir%\system32\ir41_32.ax.oldcopy %windir%\system32\dllcache\ir41_32.ax %windir%\system32\dllcache\ir41_32.ax.oldcopy %windir%\system32\ir41_qc.dll %windir%\system32\ir41_qc.dll.oldcopy %windir%\system32\dllcache\ir41_qc.dll %windir%\system32\dllcache\ir41_qc.dll.oldcopy %windir%\system32\ir41_qcx.dll %windir%\system32\ir41_qcx.dll.oldcopy %windir%\system32\dllcache\ir41_qcx.dll %windir%\system32\dllcache\ir41_qcx.dll.oldcopy %windir%\system32\ir50_32.dll %windir%\system32\ir50_32.dll.oldcopy %windir%\system32\dllcache\ir50_32.dll %windir%\system32\dllcache\ir50_32.dll.oldcopy %windir%\system32\ir50_qc.dll %windir%\system32\ir50_qc.dll.oldcopy %windir%\system32\dllcache\ir50_qc.dll %windir%\system32\dllcache\ir50_qc.dll.oldcopy %windir%\system32\ir50_qcx.dll %windir%\system32\ir50_qcx.dll.oldcopy %windir%\system32\dllcache\ir50_qcx.dll %windir%\system32\dllcache\ir50_qcx.dll.oldcopy %windir%\system32\ivfsrc.ax %windir%\system32\ivfsrc.ax.oldcopy %windir%\system32\dllcache\ivfsrc.ax %windir%\system32\dllcache\ivfsrc.ax.oldrem backup operations  wow64copy %windir%\syswow64\ir32_32.dll %windir%\syswow64\ir32_32.dll.oldcopy %windir%\system32\dllcache\wir32_32.dll %windir%\system32\dllcache\wir32_32.dll.oldcopy %windir%\syswow64\ir41_32.ax %windir%\syswow64\ir41_32.ax.oldcopy %windir%\system32\dllcache\wir41_32.ax %windir%\system32\dllcache\wir41_32.ax.oldcopy %windir%\syswow64\ir41_qc.dll %windir%\syswow64\ir41_qc.dll.oldcopy %windir%\system32\dllcache\wir41_qc.dll %windir%\system32\dllcache\wir41_qc.dll.oldcopy %windir%\syswow64\ir41_qcx.dll %windir%\syswow64\ir41_qcx.dll.oldcopy %windir%\system32\dllcache\wir41_qcx.dll %windir%\system32\dllcache\wir41_qcx.dll.oldcopy %windir%\syswow64\ir50_32.dll %windir%\syswow64\ir50_32.dll.oldcopy %windir%\system32\dllcache\wir50_32.dll %windir%\system32\dllcache\wir50_32.dll.oldcopy %windir%\syswow64\ir50_qc.dll %windir%\syswow64\ir50_qc.dll.oldcopy %windir%\system32\dllcache\wir50_qc.dll %windir%\system32\dllcache\wir50_qc.dll.oldcopy %windir%\syswow64\ir50_qcx.dll %windir%\syswow64\ir50_qcx.dll.oldcopy %windir%\system32\dllcache\wir50_qcx.dll %windir%\system32\dllcache\wir50_qcx.dll.oldcopy %windir%\syswow64\ivfsrc.ax %windir%\syswow64\ivfsrc.ax.oldcopy %windir%\system32\dllcache\wivfsrc.ax %windir%\system32\dllcache\wivfsrc.ax.oldrem deletion operations - 32bitif exist %windir%\system32\ir32_32.dll.old (    del %windir%\system32\ir32_32.dll    )if exist %windir%\system32\dllcache\ir32_32.dll.old (    del %windir%\system32\dllcache\ir32_32.dll    )    if exist %windir%\system32\ir41_32.ax.old (    del %windir%\system32\ir41_32.ax    )if exist %windir%\system32\dllcache\ir41_32.ax.old (    del %windir%\system32\dllcache\ir41_32.ax    )if exist %windir%\system32\ir41_qc.dll.old (    del %windir%\system32\ir41_qc.dll    )if exist %windir%\system32\dllcache\ir41_qc.dll.old (    del %windir%\system32\dllcache\ir41_qc.dll    )    if exist %windir%\system32\ir41_qcx.dll.old (    del %windir%\system32\ir41_qcx.dll    )if exist %windir%\system32\dllcache\ir41_qcx.dll.old (    del %windir%\system32\dllcache\ir41_qcx.dll    )    if exist %windir%\system32\ir50_32.dll.old (    del %windir%\system32\ir50_32.dll    )if exist %windir%\system32\dllcache\ir50_32.dll.old (    del %windir%\system32\dllcache\ir50_32.dll    )if exist %windir%\system32\ir50_qc.dll.old (    del %windir%\system32\ir50_qc.dll    )if exist %windir%\system32\dllcache\ir50_qc.dll.old (    del %windir%\system32\dllcache\ir50_qc.dll    )if exist %windir%\system32\ir50_qcx.dll.old (    del %windir%\system32\ir50_qcx.dll    )if exist %windir%\system32\dllcache\ir50_qcx.dll.old (    del %windir%\system32\dllcache\ir50_qcx.dll    )if exist %windir%\system32\ivfsrc.ax.old (    del %windir%\system32\ivfsrc.ax    )if exist %windir%\system32\dllcache\ivfsrc.ax.old (    del %windir%\system32\dllcache\ivfsrc.ax    )    rem deletion operations - wow64if exist %windir%\syswow64\ir32_32.dll.old (    del %windir%\syswow64\ir32_32.dll    )if exist %windir%\system32\dllcache\wir32_32.dll.old (    del %windir%\system32\dllcache\wir32_32.dll    )    if exist %windir%\syswow64\ir41_32.ax.old (    del %windir%\syswow64\ir41_32.ax    )if exist %windir%\system32\dllcache\wir41_32.ax.old (    del %windir%\system32\dllcache\wir41_32.ax    )if exist %windir%\syswow64\ir41_qc.dll.old (    del %windir%\syswow64\ir41_qc.dll    )if exist %windir%\system32\dllcache\wir41_qc.dll.old (    del %windir%\system32\dllcache\wir41_qc.dll    )    if exist %windir%\syswow64\ir41_qcx.dll.old (    del %windir%\syswow64\ir41_qcx.dll    )if exist %windir%\system32\dllcache\wir41_qcx.dll.old (    del %windir%\system32\dllcache\wir41_qcx.dll    )    if exist %windir%\syswow64\ir50_32.dll.old (    del %windir%\syswow64\ir50_32.dll    )if exist %windir%\system32\dllcache\wir50_32.dll.old (    del %windir%\system32\dllcache\wir50_32.dll    )if exist %windir%\syswow64\ir50_qc.dll.old (    del %windir%\syswow64\ir50_qc.dll    )if exist %windir%\system32\dllcache\wir50_qc.dll.old (    del %windir%\system32\dllcache\wir50_qc.dll    )if exist %windir%\syswow64\ir50_qcx.dll.old (    del %windir%\syswow64\ir50_qcx.dll    )if exist %windir%\system32\dllcache\wir50_qcx.dll.old (    del %windir%\system32\dllcache\wir50_qcx.dll    )if exist %windir%\syswow64\ivfsrc.ax.old (    del %windir%\syswow64\ivfsrc.ax    )if exist %windir%\system32\dllcache\wivfsrc.ax.old (    del %windir%\system32\dllcache\wivfsrc.ax    )

Re-enable the Indeo functionality after this security update is installed

Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

This security update disables some Indeo functionality by not letting Windows Internet Explorer or Windows Media Player use the codec. Certain users may require this functionality and can re-enable this functionality of the Indeo codec by reverting the registry key changes that are made by this security update. The registry key changes are different on the different versions of the Windows operating system.

Note Reverting the registry key changes may expose the user to security issues and weaken the security profile of the computer.

To revert the APPCOMPAT mitigation without uninstalling the security update, please see the following Windows operating system specific directions that are appropriate for your computer.
Microsoft Windows 2000
Delete or rename the following registry subkeys.
ComponentRegistry subkey
Iexplore.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility\Iexplore.exe
Wmplayer.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility\Wmplayer.exe
Mplayer2.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility\Mplayer2.exe
Mplay32.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility\Mplay32.exe
Windows XP
Create the following registry subkeys.
ComponentRegistry subkey
Iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {5042648C-F439-468D-859B-6CD12BA02D3A}
Value data: (hex) 0x00000001
Wmplayer.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {46676BCD-88EB-42E1-B542-6929118E8029}
Value data: (hex) 0x00000001
Mplayer2.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {F1DAD733-5C90-4212-AE22-FFDAEB2C5004}
Value data: (hex) 0x00000001
Mplayer32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {A5153E0F-B708-46AD-9011-8BE6CA921340}
Value data: (hex) 0x00000001
Windows Server 2003, x86-based and x64-based versions
Create the following registry subkeys.
ComponentRegistry subkey
Iexplore.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {5042648C-F439-468D-859B-6CD12BA02D3A}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {5042648C-F439-468D-859B-6CD12BA02D3A}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {A731342D-6D9B-4FE5-970D-5A3D0B6BBB6C}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {A731342D-6D9B-4FE5-970D-5A3D0B6BBB6C}
Value data: (hex) 0x00000001
Wmplayer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {46676BCD-88EB-42E1-B542-6929118E8029}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {46676BCD-88EB-42E1-B542-6929118E8029}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {405BCD49-9AAE-47C8-8E30-A8A504B626CB}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {405BCD49-9AAE-47C8-8E30-A8A504B626CB}
Value data: (hex) 0x00000001
Mplayer2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {F1DAD733-5C90-4212-AE22-FFDAEB2C5004}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {F1DAD733-5C90-4212-AE22-FFDAEB2C5004}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {75A1B058-2189-422D-A967-F7AFF142237C}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

REG_DWORD: {75A1B058-2189-422D-A967-F7AFF142237C}
Value data: (hex) 0x00000001
Mplayer32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
REG_DWORD: {A5153E0F-B708-46AD-9011-8BE6CA921340}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\ Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
REG_DWORD: {A5153E0F-B708-46AD-9011-8BE6CA921340}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
REG_DWORD: {5B8661D5-ECE1-4BD9-93E8-5B7E56544EE2}
Value data: (hex) 0x00000001

HKEY_LOCAL_MACHINE\SOFTWARE\ Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
REG_DWORD: {5B8661D5-ECE1-4BD9-93E8-5B7E56544EE2}
Value data: (hex) 0x00000001

Known issues

The Quartz.dll file is listed as an unsigned binary

Consider the following scenario:
  • You install this update on a computer that is running Microsoft Windows 2000 with Service Pack 4 and that has DirectX 7 or DirectX 8 installed.
  • You upgrade the system to DirectX 8 or DirectX 9.
  • You try to update the system again with this update.
In this scenario, the Quartz.dll file is successfully updated to the secured version. However, the file may be listed as an unsigned binary.

To avoid this issue, follow these steps:
  1. Uninstall the update for the earlier version of Microsoft DirectShow.
  2. Manually delete the following catalog file:
    %systemroot%\system32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB971633.cat
  3. Upgrade to the newer version of DirectShow.
  4. Install the security update that is appropriate for the new version of DirectX.

More information about this advisory

To access packages, click the following links. For more information about this advisory, click the following article numbers to view the articles in the Microsoft Knowledge Base:
955759 Microsoft Security Advisory: Description of the AppCompat update for Indeo codec: December 08, 2009
976138 Microsoft Security Advisory: Description of the Quartz update for Indeo codec: December 08, 2009
update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.
Properties

Article ID: 954157 - Last Review: 06/25/2010 16:34:00 - Revision: 2.1

Microsoft Windows Server 2003 Service Pack 2, Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, Microsoft Windows 2000 Service Pack 4

  • kbsecadvisory kbfix atdownload kbbug kbexpertiseinter kbsecbulletin kbsecurity kbsecvulnerability kbsurveynew kbmsifixme kbfixme KB954157
Feedback