I am unable to locate a fixlet related to the MS Security Advisory 954157 (http://www.microsoft.com/technet/security/advisory/954157.mspx). I understand that they did not release any code to mitigate the issue, but the KB appears to offer two courses which would appear to make possible actions. At least detecting the relevance would be helpful and then pointing to the articles. I would think this falls squarely in the Security category, from the advisory, “The Indeo codec on systems running Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow code remote code execution when opening specially crafted media content.” I am fully aware that I can write a fixlet myself, I just need to answer management’s questions as to why BigFix is not even detecting the issue.
For security advisories like this, we tend to not provide content immediately and instead we wait for the official update… The reason for this is that the initial workaround is often very problematic and can either disable large amounts of functionality or cause other problems…
For this security advisory, Microsoft has a few warnings in there, such as:
“This security update disables some Indeo functionality by not letting Windows Internet Explorer or Windows Media Player use the codec. Certain users may require this functionality and can re-enable this functionality of the Indeo codec by reverting the registry key changes that are made by this security update.”
“Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.”
Our concern is that we certainly don’t want to put our customers in a situation where we have given them a pre-authored Fixlet that is likely to cause problems. We often rely on feedback from the customer community about what customers would like to do in tricky situations like this…
Were you interested in a “detection-only” Fixlet or did you want to implement the workaround to disable the components?
A detection-only type fixlet would be at least give us a chance to evaluate our exposure. I fully understand that the workaround may be worse that actual chance of exploitation via the vulnerability, but if we don’t have a clue about our devices as provided by our centralized management system we can not even attempt to quantify our response.
I’ve been hearing about this particular hotfix content request from other channels as well, and I’ve looked briefly at what a fixlet generation would take…
Maybe we should create the content but have the default action removed. That way, you guys get all the benefits of an audit fixlet while at the same time being able to disable the components if you really didn’t care about the Indeo Codec…