nCircle VERT Blog

Q: When is a Vulnerable Application not a Vulnerable Application?

A: When the vulnerable component is a third party addon.

It seems that quite a few people are talking about a Stack Overflow that appeared on milw0rm over the weekend. ISC posted on it, SecurityFocus has added it as a vulnerability and assigned an Bugtraq ID to it and Donna's SecurityFlash has picked it up.

Shortly after the ISC post went up, I sent an email to them via their contact form, letting them know that this wasn't a vulnerability in Windows Media Player 6.4. They have finally updated their content to reflect this, but others still haven't... so consider this an update to all those other sites.

This vulnerability affects the 3ivx codec pack and specifically 3ivx.dll. Windows Media Player 6.4, which is found on all versions of Windows up to, and including, Windows Server 2003 doesn't support natively support mp4 files, which is the file format generated by the PoC.

According to the individual that discovered the vulnerability, the latest release (5.0.1) is vulnerable to this flaw.

Posted by Tyler Reguly on December 10, 2007 8:31 AM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/247

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):


About

This page contains a single entry from the blog posted on December 10, 2007 8:31 AM.

The previous post in this blog was CVSSv2 Vector Confusion.

The next post in this blog is Patch Tuesday - December 2007.

Many more can be found on the main index page or by looking through the archives.



Bio

Blog: VERT
Author: nCircle VERT

nCircle VERT is the research team behind nCircle, continuously publishing updates for nCircle IP360 and nCircle's family of products. VERT conducts deep research across a broad class of network security intelligence, creating unique, agentless detection for: vunerabilities, host configurations, applications, services, user accounts, operating systems, and other network security conditions. Members of the group use this blog to share their opinions on the security industry, emerging threats, technology trends, and the world at large.


Search

   


Recent Posts

   

Archives

   

Categories