|
|
| lebow |
| Posted: Nov 4 2013, 09:11 PM |
 |
|
Newbie
Group: Members
Posts: 1
Member No.: 37398
Joined: 4-November 13
|
Some months ago I noticed that in the codec list of VirtualDub's Video -> Compression... the codec "Microsoft Windows Media Video 9" (wmv3) had disappeared.
Instead, there was a blank line at the top of the list still connected to wmv9vcm.dll, but no configuration possible.
Reason: Microsoft Security Update KB2845142 from July 2013 fixes a vulnerability in WINDOWS\system32\wmv9vcm.dll. In Windows XP, version 9.0.1.369 (9.0.1.0369) was replaced by 9.0.1.3073.
According to a japanese website (http://blog.livedoor.jp/blackwingcat/archives/cat_30238.html), the configuration dialog seems to be missing in the new wmv9vcm.dll's resources.
Unfortunately, the revisions of Microsoft Security Bulletin MS13-057 have not updated KB2845142.
The only solution known to me (which may be a security risk) is to place the original wmv9vcm.dll in VirtualDub's directory. |
|
| phaeron |
| Posted: Nov 17 2013, 10:21 PM |
|
|
Virtualdub Developer
Group: Administrator
Posts: 7773
Member No.: 61
Joined: 30-July 02
|
Wow, that's kind of lame. The security vulnerability listed is for remote code execution, which is very serious but should only have affected the decode path. I can't see why they would have needed to remove the configuration dialog in order to fix this. It must have been in common code too, since the DirectShow decoder had to be updated as well as the VCM decoder.
Because the vulnerability involves the decoding path, it's true that you don't want to unilaterally back down to the old version of the codec as then opening a specially crafted file could trigger the vulnerability. However, there shouldn't be a problem with encoding with it since in that case you're not decoding unknown data and you're controlling the input anyway. Thus, I'd recommend using your workaround only when you are encoding to WMV3.
|
|
|
