News

Important Security Flaw Affects Windows 2000 Servers

Microsoft on Wednesday put out a pair of security bulletins, including one alerting users to an important security flaw affecting the Windows 2000 servers.

The flaw rated “important” on Microsoft’s threat scale involves a potential buffer overrun in Windows Media Services that could cause a Windows 2000 server to fail and execute an attacker’s code. The other new security bulletin deals with a threat rated by Microsoft as “moderate” in its Windows Media Player 9 Series.

The important vulnerability occurs because of the way Windows Media Services, which serves media content to clients across a network, logs client information during multicast transmissions. The logging capability is implemented as an ISAPI extension called nsiislog.dll, which has a flawed way of handling incoming requests. A specially formed HTTP request could cause Internet Information Services to fail or execute code on the user’s system.

There are several mitigating factors that prevent the flaw from being rated critical by Microsoft. For one, Windows Media Services is not installed by default. For another, an attacker would have to be aware which computers on the network have Windows Media Services installed.

Windows XP and Windows Server 2003 are unaffected by the vulnerability. Windows Media Services is not available for Windows 2000 Professional. While Windows 2000 Server, Advanced Server and Datacenter Server ship with Windows Media Services integrated, it was available as a download add-on for Windows NT 4.0. Customers who downloaded the add-on can be open to the vulnerability under some circumstances.

Microsoft’s security bulletin is available at www.microsoft.com/technet/security/bulletin/ms03-022.asp.

The less severe security bulletin released Wednesday involved an information disclosure vulnerability in the Windows Media Player 9 Series. A flaw exists in the way an ActiveX control, which allows Web page authors to create pages that can play media, provides access to information on the user’s computer. An attacker could exploit the vulnerability by luring a user to a Web page designed to take advantage of the flaw or enticing the user to open or preview an HTML e-mail.

The attacker would be limited to viewing and manipulating data in the media library on the user’s computer. “The attacker would not be able to browse the user’s hard disk and would not have access to passwords or encrypted data,” Microsoft wrote in the bulletin. “The attacker might also be able to determine the user name of the logged-on user by examining the directory paths to media files.”

The Windows Media Player security bulletin is available at www.microsoft.com/technet/security/bulletin/ms03-021.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.