MS09-051 addresses a vulnerability (CVE-2009-0555) in the speech codec of Microsoft Window Media Component.

Users of Windows XP/Windows Vista/Windows Server 2003/Windows Server 2008* are affected by this vulnerability. However, for Win2k users, the story is more complex and we would like to go into more detail in this blog.

*Windows Server 2008 Core installation is not affected.

 

Are Win2K users affected?

Only in certain circumstances.

By default the vulnerable codec WMSPDMOD.dll is NOT shipped in-box on Win2k. The speech codec is not included in Windows Media Player (WMP) 6.4, which ships with Windows 2000. The optional WMP 7.1 download also does not include it. WMP 9 on the other hand does contain the speech codec. If you’ve installed WMP 9 on your Win2k machine you are affected and we recommend you install this update.

However even if a user only has WMP version 6.4 (default on win2k) or version 7.1, there is a possibility they are also vulnerable. This is due to the automated codec download feature of WMP.  The first time a user plays a file requiring a codec that is not present on the system, the player will attempt to download and install it from the Microsoft codec server.

Here is an example. Using WMP 7.1 to play a WMA file that uses Speech codec, you will see the following codec download dialogue in WMP.  If you have ever chosen to install the CAB you will have the speech codec WMSPDMOD.dll installed on your machine.

For WMP 6.4 users the player installs a different CAB from the Microsoft’s codec server. The speech codec it provides, WMAVDS32.ax, is affected by this vulnerability too.

How can I protect myself if I am a WMP 6.4/7.1 user on Win2k?

One option is to upgrade your WMP from 6.4/7.1 to WMP 9 and then apply the MS09-051 update.

Another option is to unregister and delete the old vulnerable speech codec if it has already been installed. To do that, follow these steps:

1)     Check if WMAVDS32.ax or WMSPDMOD.dll existed in the window’s system32 directory. If files existed, the vulnerable codec has already been installed due to the codec download feature

2)     Unregister the old codec

a.     For 6.4 users, do regsvr32 /u wmavds32.ax

b.    For 7.1 users, do regsvr32 /u wmspdmod.dll

3)     Delete these codec files

The side effect of the above steps is that it leaves users unable to play files that use the speech codec.

What if I still need to play these files?

The Microsoft codec server has been updated with the fixed codec. For WMP 6.4/71 users, new versions of the codec will be downloaded and installed if the old codec was not present or was unregistered and deleted and a media file requiring that codec was opened.

 

Big Thanks to Gavin Thomas and Robert Hensing from MSRC Engineering Team, and Rob Van Schooneveld from WIN GRP SE team.

-Chengyun Chu, MSRC Engineering