Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation’s framework contains a remote code execution vulnerability that exists due to a use-after-free condition. This specific bug lies in Media Foundation's MPEG4 DLL. An attacker could provide a user with a specially crafted QuickTime file to exploit this vulnerability. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates here, and see the Snort rules that provide coverage here. In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Microsoft Media Foundation CMP4MetadataHandler AddQTMetadata code execution vulnerability (TALOS-2019-0912/CVE-2019-1430)

An exploitable use-after-free vulnerability exists in the mfmp4srcsnk.dll of Microsoft Media Foundation. A specially crafted QuickTime file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that this vulnerability affects the 32-and 64-bit versions of Windows 10 Media Foundation MPEG4 Source and Sink DLL, version 10.0.18362.207 (WinBuild.160101.0800), version 12.0.18362.1 of Windows Media Player and version 44.18362.267.0 of Microsoft Edge.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules: 51673 - 51680