CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (MS10-050)
A vulnerability has been discovered in Windows Movie Maker which could allow an attacker to take complete control of an affected system. Windows Movie Maker is a video editing application available for Microsoft Windows, which is installed by default on Windows XP and Vista systems. This vulnerability could allow remote code execution if a user opens a specially crafted Windows Movie Maker project file (.MSWMM). The file may be received as an email attachment, on removable media, or downloaded via the web. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs, view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.
- Windows XP
- Windows Vista
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: High
A vulnerability has been identified in Microsoft Windows Movie Maker that could allow an attacker to take complete control of an affected system. This vulnerability exists because of the way Microsoft Windows Movie Maker parses Movie Maker project files (.MSWMM). Specifically, this issue arises because Microsoft Windows Movie Maker does not perform sufficient boundary checks when parsing strings in maliciously crafted Movie Maker project files. This results in a buffer overflow condition that could allow for remote code execution if successfully exploited by an attacker.
This vulnerability can be exploited via an email attachment or through the web. In the email based scenario, the user would have to open the specially crafted Movie Maker project file as an email attachment. In the web based scenario, a user would have to open a specially crafted media file that is hosted on a website. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.
We recommend the following actions be taken:
- Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Consider blocking .MSWMM files at the network perimeter.
- Consider removing the Movie Maker .MSWMM file association.
- Inform and educate users regarding the threats posed by attachments and hypertext links contained in emails especially from un-trusted sources.