Vulnerability Spotlight: Code execution vulnerability in Microsoft Media Foundation

_
_Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation’s framework contains a code execution vulnerability. This specific bug lies in Media Foundations’ MPEG4 DLL. An attacker could provide a user with a specially crafted ASF file to exploit this vulnerability. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Microsoft Media Foundation IMFASFSplitter::Initialize code execution vulnerability (TALOS-2019-0946/CVE-2020-0738)

An exploitable type confusion vulnerability exists in the mfasfsrcsnk.dll of Microsoft Media Foundation 10.0.18362.207. A specially crafted ASF file can cause type confusion, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects the 32-and 64-bit versions of Windows 10 Media Foundation ASF Source and Sink DLL, version 10.0.18362.207 (WinBuild.160101.0800).

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52095, 52096