Windows Movie Maker Code Execution Vulnerability

Severity: Medium

9 March, 2010

Summary:

§ These vulnerabilities affect: Affects Windows Movie Maker 2.1, 2.6, and 6.0. Also affects Microsoft Producer 2003

§ How an attacker exploits them: By enticing you to open maliciously crafted Movie Maker or Producer project

§ Impact: An attacker can execute code, potentially gaining complete control of your computer

§ What to do: Install the appropriate Movie Maker patch as soon as possible, or let Microsoft's Automatic Update do it for you.

Exposure:

Windows Movie Maker is a video capturing and editing application that you get free with Windows. Movie Maker actually ships with older versions of Windows, such as Windows XP and 2000. However, the latest versions of Windows (Windows Vista and 7), don't provide the Movie Maker application on the installation disc. Instead, you have the option to download it for free as part of the Windows Live Essentials package. In short, if you have Windows XP, you have Windows Movie Maker. However, if you have Windows Vista or 7, you only have it if you chose to download and install the Live Essentials package.

Today, Microsoft released a security bulletin describing a buffer overflow vulnerability that affects Windows 2.1, 2.6, and 6.0. Also affects Microsoft Producer 2003 (Producer is another optional download that adds rich-media creation features to PowerPoint). Movie Maker and Producer do not properly parse specially crafted project files. If an attacker can entice you to download a specially crafted project file, then open that file in Movie Maker or Producer, he can exploit this flaw to execute code on your computer, with your privileges. If you have local administrative privileges, the attacker gains full control your computer.

While code execution flaws have the highest impact, we do not feel this flaw poses a high risk to most business users. Few business users ever run Movie Maker, so it would probably be more difficult to get them to interact with Movie Maker projects. Nonetheless, we still recommend you apply the Movie Maker update as soon as you can.

Solution Path

Microsoft has released updates for Windows Movie Maker to correct this vulnerability. You should download, test, and deploy the appropriate patch throughout your network as soon as possible (or just let the Microsoft Automatic Update feature do it for you). This flaw also affects Producer 2003, however, Microsoft has not released a patch for it. Instead, they recommend you uninstall the optional add-in, or remove its file associations. This Microsoft Fixit, will automatically remove Producer's file associations for you.

MS10-016:

Updates for Movie Maker:

§ For Windows XP

§ For Windows XP x64

§ For Windows Vista

§ For Windows Vista x64 Edition

§ For Windows 7

§ For Windows 7 x64

For All WatchGuard Users:

If you like, you can configure certain WatchGuard Firebox models to block Microsoft Movie Maker projects from arriving via the web, email, or through FTP transfers. If you don't need Movie Maker projects to conduct business, we recommend you do this. Nonetheless, you should still apply Microsoft's updates for full protection.

If you want to block Movie Maker projects, the links below provide video instructions on how to use your Firebox proxy's content blocking features to block file extensions. The file extensions you should block include, .MSWMM, .MSProducer, .MSProducerZ, and .MSProducerBF. Keep in mind, blocking files by extension blocks both malicious and legitimate documents.

§ Firebox X Edge running 10.x

§ How do I block files with the FTP proxy?

§ How do I block files with the HTTP proxy?

§ How do I block files with the POP3 proxy?

§ How do I block files with the SMTP proxy

§ Firebox X Core and X Peak running Fireware 10.x or Fireware XTM

§ How do I block files with the FTP proxy?

§ How do I block files with the HTTP proxy?

§ How do I block files with the POP3 proxy?

§ How do I block files with the SMTP proxy?