This is a very unusual solution, which Microsoft justifies in the name of security. Deprecating vulnerable code is "a rare occurrence, as it is usually challenging to remove functionally from products that customers are currently using without affecting existing applications," a Microsoft spokesperson confirmed with Ars. "In this case, we created defense-in-depth changes that reduce the attack surface and removed the functionality of this codec rather than addressing individual vulnerabilities because it provided more comprehensive protection for an older, less used codec."

The security advisory further explains how the update removes the most common remote attack vectors. The fix only allows applications to use the Indeo codec when the media content is from the local system or from the intranet zone, meaning games or other applications that leverage the codec locally can still function correctly. At the same time, Internet Explorer, Windows Media Player, or any other program that accesses the Internet cannot launch anything that uses the codec. Microsoft had to make sure that the codec would not be missed when visiting legitimate websites, and could still be used in corporate applications.

The advisory also notes that the update was not issued for 32-bit and 64-bit editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 since these operating systems already bar the codec from loading. What's really curious here is that it took Redmond this long to update older operating systems to the same level of security by blocking these known attack vectors to protect users from being duped into visiting a malicious site. To completely remove all attack vectors, Microsoft explains that the codec can be deregistered completely, if the user wishes to do so.