CVE-2010-0265
published 2010-03-10CVE-2010-0265: Buffer overflow in Microsoft Windows Movie Maker 2.1, 2.6, and 6.0, and Microsoft Producer 2003, allows remote attackers to execute arbitrary code via a…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
26.64%
97.8th percentile
Buffer overflow in Microsoft Windows Movie Maker 2.1, 2.6, and 6.0, and Microsoft Producer 2003, allows remote attackers to execute arbitrary code via a crafted project (.MSWMM) file, aka "Movie Maker and Producer Buffer Overflow Vulnerability."
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | producer | — | — |
| microsoft | windows_movie_maker | — | — |
| microsoft | windows_movie_maker | — | — |
| microsoft | windows_movie_maker | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for opening or creation of .MSWMM (Windows Movie Maker project) files from untrusted/remote sources, as exploitation delivers a crafted project file to trigger a buffer overflow leading to arbitrary code execution. ↗
- →Alert on Movie Maker (moviemk.exe) or Producer 2003 processes spawning unexpected child processes, which may indicate successful exploitation via a malicious .MSWMM file. ↗
- →Detect .MSWMM files containing NOP sled byte sequences (0x90 repeated) followed by shellcode payload, as the exploit writes a 12-byte NOP sled padding block before shellcode into the crafted project file. ↗
- →Flag shellcode length checks near 1120 bytes as a boundary indicator; payloads embedded in .MSWMM files at or near this size threshold are characteristic of this exploit. ↗
- ·The exploit targets specifically Movie Maker versions 2.1, 2.6, and 6.0, and Microsoft Producer 2003; detections scoped to .MSWMM file handling should account for all three Movie Maker versions and Producer 2003. ↗
- ·The exploit generates the malicious file locally as 'exploit.mswmm'; defenders should consider both file delivery via network (remote attacker scenario) and local file-based attack vectors when tuning detections. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA10-068A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-016https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8595http://www.us-cert.gov/cas/techalerts/TA10-068A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-016https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8595
2010-03-10
Published