A significant vulnerability surfaced in a very old video codec, but rather than fix it, Microsoft chose to just block use of it. Its argument? Hardly anyone uses it any more. Given the code is almost of voting age, they might be right.
Buried within Microsoft’s latest batch of bug patches this week was a Security Advisory regarding vulnerabilities in an old Intel video codec (coder/decoder). To be sure, the holes are serious, but Microsoft’s way of addressing problems with this particular codec is out of the ordinary.
Rather than patching the 17-year-old software, known as the Indeo codec, Microsoft is instead telling affected users to disable it with either an update or with workarounds.
“Instead of fixing specific vulnerabilities, Microsoft is creating defense-in-depth changes that reduce the attack surface all together for known vulnerabilities, and future similar vulnerabilities,” Microsoft’s Security Advisory said.
The flaw is a potentially dangerous one: The security holes can be exploited if a user happens to visit a site that contains boobytrapped content that calls for the Indeo codec, and can result in complete compromise of the user’s system.