News

Important Security Flaw Affects Windows 2000 Servers

• By Scott Bekker
• June 25, 2003

The flaw rated “important” on Microsoft’s threat scale involves a potential buffer overrun in Windows Media Services that could cause a Windows 2000 server to fail and execute an attacker’s code. The other new security bulletin deals with a threat rated by Microsoft as “moderate” in its Windows Media Player 9 Series.

The important vulnerability occurs because of the way Windows Media Services, which serves media content to clients across a network, logs client information during multicast transmissions. The logging capability is implemented as an ISAPI extension called nsiislog.dll, which has a flawed way of handling incoming requests. A specially formed HTTP request could cause Internet Information Services to fail or execute code on the user’s system.

There are several mitigating factors that prevent the flaw from being rated critical by Microsoft. For one, Windows Media Services is not installed by default. For another, an attacker would have to be aware which computers on the network have Windows Media Services installed.

Windows XP and Windows Server 2003 are unaffected by the vulnerability. Windows Media Services is not available for Windows 2000 Professional. While Windows 2000 Server, Advanced Server and Datacenter Server ship with Windows Media Services integrated, it was available as a download add-on for Windows NT 4.0. Customers who downloaded the add-on can be open to the vulnerability under some circumstances.

Microsoft’s security bulletin is available at www.microsoft.com/technet/security/bulletin/ms03-022.asp.

The less severe security bulletin released Wednesday involved an information disclosure vulnerability in the Windows Media Player 9 Series. A flaw exists in the way an ActiveX control, which allows Web page authors to create pages that can play media, provides access to information on the user’s computer. An attacker could exploit the vulnerability by luring a user to a Web page designed to take advantage of the flaw or enticing the user to open or preview an HTML e-mail.

The attacker would be limited to viewing and manipulating data in the media library on the user’s computer. “The attacker would not be able to browse the user’s hard disk and would not have access to passwords or encrypted data,” Microsoft wrote in the bulletin. “The attacker might also be able to determine the user name of the logged-on user by examining the directory paths to media files.”

The Windows Media Player security bulletin is available at www.microsoft.com/technet/security/bulletin/ms03-021.asp.