Add as a preferred source on Google


News

Microsoft Releases Two New Security Warnings

Microsoft has released two new security warnings, one regarding Microsoft Windows Media Services and one regarding Microsoft Systems Management Server (SMS). The vulnerability in Windows Media Services could allow denial of service attacks against a streaming media server, and the vulnerability in SMS could allow a user to gain elevated privileges on the local machine.

With Windows Media Services, the handshake sequence between a Windows Media server and a Windows Media Player is asynchronous, because certain resource requests are dependent on the successful completion of previous ones. If the client-side handshake packets are sent in a particular, misordered sequence, with certain timing constraints, the server will attempt to use a resource before it has been initialized and will fail catastrophically, causing the Windows Media Unicast Service to crash. The Windows Media Unicast Service can be put back into normal operating condition by restarting the service, but any sessions that were in effect at the time of the crash would need to be restarted.

Microsoft Windows Media Services 4.0 and 4.1 are affected. The patch for Windows NT Server 4.0 is available at http://download.microsoft.com/download/winmediatech40/Update/4954/NT4/EN-US/WMSU4954_NT4.EXE and the patch for Windows 2000 Server is available at http://download.microsoft.com/download/winmediatech40/Update/4954/NT5/EN-US/WMSU4954_Win2000.EXE.

With SMS, if the SMS 2.0 Remote Control feature has been installed and enabled on a machine, the folder in which the remote agent resides has its permissions set to Everyone Full Control by default. If a malicious user replaced the client code with code of his choosing, it would run automatically in a system context the next time he rebooted the machine and logged on. The vulnerability exists only if the Remote Control feature has been enabled. No other SMS features are affected by it.

Microsoft Systems Management Server 2.0 is affected by this vulnerability. The patch for X86 machines is available at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18948 and the patch for Alpha machines is available at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=18499. - Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Dismantles RedVDS Cybercrime Marketplace Linked to $40M in Phishing Fraud

    In a coordinated action spanning the United States and the United Kingdom, Microsoft’s Digital Crimes Unit (DCU) and international law enforcement collaborators have taken down RedVDS, a subscription based cybercrime platform tied to an estimated $40 million in fraud losses in the U.S. since March 2025.

  • Sound Wave Illustration

    CrowdStrike's Acquisition of SGNL Aims to Strengthen Identity Security

    CrowdStrike signs definitive agreement to purchase SGNL, an identity security specialist, in a deal valued at about $740 million.

  • Microsoft Acquires Osmos, Automating Data Engineering inside Fabric

    In a strategic move to reduce time-consuming manual data preparation, Microsoft has acquired Seattle-based startup Osmos, specializing in agentic AI for data engineering.

  • Linux Foundation Unites Major Tech Firms to Launch Agentic AI Foundation

    The Linux Foundation today announced the creation of a new collaborative initiative — the Agentic AI Foundation (AAIF) — bringing together major AI and cloud players such as Microsoft, OpenAI, Anthropic and other major tech companies.

Most   Popular