Microsoft Windows Movie Maker contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.
The vulnerability is due to insecure parsing of Windows Movie Maker project files. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious project file. If the user opens the file, the attacker could exploit the vulnerability to execute arbitrary code with the privileges of the user.
Proof-of-concept code that exploits this vulnerability is publicly available.
Microsoft has confirmed this vulnerability in a security bulletin and released updated software.
Indicators of Compromise
Microsoft Windows Movie Maker 2.1 contains this vulnerability when running on the following systems:
Windows XP SP3 and prior
Windows XP Professional x64 Edition SP2 and prior
Microsoft Windows Movie Maker 2.6 contains this vulnerability when running on the following systems:
Windows Vista x64 Edition
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Microsoft Windows Movie Maker 6.0 contains this vulnerability when running on the following systems:
Windows Vista SP2 and prior
Windows Vista x64 Edition SP2 and prior
Systems running Microsoft Producer 2003, a component of PowerPoint that is included in Microsoft Office 2003, are also vulnerable.
This vulnerability is due to insufficient boundary checking that occurs in the IsValidWMToolsStream() function when the vulnerable application processes mswmm files. The vulnerable function copies data to the *pbuffer memory object twice, with two different sets of input. During the second access, the *pbuffer pointer is not reallocated before it is used again. A buffer overflow may occur if the size of the data copied to the object is bigger than the initial value of the *pbuffer value.
An unauthenticated, remote attacker could exploit the vulnerability by sending a malicious project file to a user on an affected system. If the user opens the file, the attacker could execute arbitrary code with the privileges of the user.
To exploit this vulnerability, the attacker must convince a user to view a malicious Windows Movie Maker project file. The attacker may deliver a file to the user as an e-mail attachment, using social engineering techniques.
On systems where users hold elevated privileges, the attacker could execute code that results in a full system compromise. However, if the user runs applications with limited privileges, any code execution as the result of an exploit would occur in a restricted security context, limiting the overall impact.
Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.