Microsoft evades patching and blocks buggy code

Microsoft has decided to disable a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities, according to the company's security team.

On Tuesday, the same day it issued six updates that patched 12 bugs, Microsoft released a security advisory that outlined the unusual move, which blocks the Indeo codec - software that compresses and decompresses video data - from being used by either Internet Explorer (IE) or Windows Media Player. The update also prevents other applications that access the Internet from loading the codec.

It's unclear exactly how many unpatched vulnerabilities the Indeo codec contains, but at least two security companies - VeriSign iDefense and Fortinet - have issued their own Indeo bug alerts. The vulnerability uncovered by iDefense was reported to Microsoft more than a year ago.

The update targets only the oldest editions of Microsoft's operating system: Windows 2000, Windows XP and Windows Server 2003. Windows Vista, Windows 7 and Windows Server 2008 already bar the Indeo codec from loading. Intel introduced the codec in 1992.

By blocking the codec from being used in IE and Windows Media Player, said Microsoft, it's protecting users against the known attack vectors, would rely on duping people into visiting a malicious site.

It's unusual for Microsoft to skip patching known vulnerabilities and instead disable - "deprecate" in programming terminology - bits of code. "This is a rare occurrence, as it is usually challenging to remove functionally from products that customers are currently using without affecting existing applications," a Microsoft spokesman acknowledged.

Patching the codec wouldn't make much sense, said Richie Lai, director of vulnerability research at security company Qualys. "Microsoft already made these changes for Vista and Windows 7, and Indeo is rarely used anymore," Laid said. "I see this more of an attack surface reduction move."

Microsoft saw it that way, too. "In this case, we created defense-in-depth changes that reduce the attack surface and removed the functionality of this codec rather than addressing individual vulnerabilities because it provided more comprehensive protection for an older, less used codec," said the company's spokesman.

On-disk applications, such as games that still rely on the Indeo codec, will function normally, Microsoft added.

This isn't the first time that Microsoft has declined to patch valid vulnerabilities. Last September, Microsoft announced that fixing a flaw in Windows 2000 Server SP4's implementation of TCP/IP was not feasible because that would "require re-architecting a very significant amount of the Windows 2000 SP4 operating system," and doing so meant "that there would be no assurance that applications designed to run on Windows 2000 SP4 would continue to operate on the updated system."

"Maybe this is a new trend," said Jason Miller, the security and data team manager of patch management vendor Shavlik Technologies.

"We believe this approach should provide more security for customers than addressing single instances of vulnerabilities," the Microsoft spokesman said.

The codec-blocking update has been pushed to in Windows 2000, XP and Server 2003 users via Windows Update's automatic update mechanism.