Microsoft Issues Producer Upgrade to Plug Security Vulnerability

Microsoft upgrades its Producer add-in to block the possibility of a buffer overflow vulnerability being exploited. The company patched the security vulnerability in Microsoft Movie Maker in March, but neglected to update Producer at the time.

Microsoft has released a new version of its Producer add-in component to fix a vulnerability previously left unpatched.

In March, Microsoft issued a patch for a buffer overflow vulnerability in Microsoft Movie Maker that also affected users of Producer, which is a free, downloadable tool for Office PowerPoint 2002 and 2003 designed to make it easier for users to synchronize audio, video and images to create presentations.

At the time, Microsoft chose not to update Producer to address the issue because the product does not offer a means for an automatic update.

"Based on our investigation, we determined that the best way to protect the vast majority of customers was to release an update addressing the components that shipped with Windows," blogged Jerry Bryant, senior security communications manager lead for Microsoft's Security Response Center.

The May 3 upgrade is meant to plug the security hole, which could potentially be exploited to allow an attacker to run arbitrary code with the rights of the logged-on user. So far, Microsoft has not observed any attacks targeting the vulnerability.

"In addition, Microsoft fixed installation switches for the Movie Maker 2.6 on Windows Vista and Windows 7 patches," said Jason Miller, data and security team manager for Shavlik Technologies. "If you have already applied these patches to your systems, you will not need to reapply the patches."

Those who do not want to upgrade can apply the workaround available as a Microsoft FixIt.

"The FixIt removes the file association from the application to prevent files from being opened in Producer when you double-click on them," Microsoft said. "Users who apply the FixIt can still open their projects by first launching Producer and then opening the file from within the application."