December 11th, 2009, 19:17 PM
Rather than patch, Microsoft blocks buggy code
Microsoft has decided to disable a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities, according to the company's security team.
Last Tuesday, the same day it issued six updates that patched 12 bugs, Microsoft released a security advisory that outlined the unusual move, which blocks the Indeo codec -- software that compresses and decompresses video data -- from being used by either Internet Explorer (IE) or Windows Media Player. The update also prevents other applications that access the Internet from loading the codec.
It's unclear exactly how many unpatched vulnerabilities the Indeo codec contains, but at least two security companies -- VeriSign iDefense and Fortinet -- issued their own Indeo bug alerts Tuesday. The vulnerability uncovered by iDefense was reported to Microsoft more than a year ago.
The update targets only the oldest editions of Microsoft's operating system: Windows 2000, Windows XP and Windows Server 2003. Windows Vista, Windows 7 and Windows Server 2008 already bar the Indeo codec from loading. Intel introduced the codec in 1992.
Full story: Computerworld