nCircle.com >> 360 Security >> VERT

« CVSSv2 Vector Confusion | Main | Patch Tuesday - December 2007 »

Q: When is a Vulnerable Application not a Vulnerable Application?

A: When the vulnerable component is a third party addon.

It seems that quite a few people are talking about a Stack Overflow that appeared on milw0rm over the weekend. ISC posted on it, SecurityFocus has added it as a vulnerability and assigned an Bugtraq ID to it and Donna's SecurityFlash has picked it up.

Shortly after the ISC post went up, I sent an email to them via their contact form, letting them know that this wasn't a vulnerability in Windows Media Player 6.4. They have finally updated their content to reflect this, but others still haven't... so consider this an update to all those other sites.

This vulnerability affects the 3ivx codec pack and specifically 3ivx.dll. Windows Media Player 6.4, which is found on all versions of Windows up to, and including, Windows Server 2003 doesn't support natively support mp4 files, which is the file format generated by the PoC.

According to the individual that discovered the vulnerability, the latest release (5.0.1) is vulnerable to this flaw.

Posted by Tyler Reguly on December 10, 2007 8:31 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/247

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Search


About

This page contains a single entry from the blog posted on December 10, 2007 8:31 AM.

The previous post in this blog was CVSSv2 Vector Confusion.

The next post in this blog is Patch Tuesday - December 2007.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]