Under current Windows multimedia implementations, CODECs for media content have the ability to do anything the underlying user can do. Thus, anyone who uses any multimedia CODECs allows their authors access to their machines.
I would suggest that multimedia CODECs (and various other such code snippets)
should be run in a zero-privileges VM. The OS would load the CODEC into memory, create buffer areas sized according to the CODECs requirements, and then call it in a VM that could access nothing whatsoever except its expressly-allocated memory.
The first buffer would contain information about what action was requested of the CODEC; one of the defined actions would be to fill in a buffer with information about its version, memory requirements, etc.
Arranging things in this way should allow considerable protection from either rogue CODECs, or rogue media streams that exploit buffer overflows. A corrupt media stream could crash a poorly-written CODEC, but the most it would be able to do would be to hog memory and CPU time up to specified limits, and generate bogus picture and sound data.-- supercat,
Dec 23 2005random,