__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Microsoft Windows Media Services ISAPI Extension Flaw
[Microsoft Security Bulletin MS03-019]
June 3, 2003 14:00 GMT Number N-100
______________________________________________________________________________
PROBLEM: Windows Media Services (streaming audio and video) is a feature
of Microsoft's Windows 2000 Server, Advanced Server, Datacenter
Server, and Windows NT 4.0 Server. It contains support for
delivering media content to clients across a network known as
multicast streaming. This capability is implemented as an
Internet Services Application Programming Interface (ISAPI)
extension – nsiislog.dll, and is installed to the Internet
Information Services (IIS) Scripts directory on the server. A
flaw in the way nsiislog.dll processes incoming requests has
been identified.
SOFTWARE: Microsoft's Window Media Services only when installed on
Windows 2000 or Windows NT 4.0 servers.
DAMAGE: By sending specially formed communications to a server running
Windows Media Services, an attacker might include code which
may cause a Windows 2000 or Windows NT 4.0 server to fail in
such a way that could allow code to execute in the security
context of the IIS service, or execute code of their choice on
a victim's system.
SOLUTION: Apply appropriate Microsoft patches as described in MS03-019.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. Windows Media Services is not installed by
ASSESSMENT: default, and this high vulnerability risk only applies when it
has been installed on Windows 2000 or Windows NT 4.0 servers.
The attacker would have to be aware of which server on the
network Windows Media Services had been installed on, and was
performing logging, in order to cause the server to stop
responding to IIS requests.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-100.shtml
ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/MS03-019.asp
PATCHES: Microsoft Windows NT 4.0:
http://microsoft.com/downloads/details.aspx?FamilyId=
8D7E3716-1AA7-4EDC-B084-7D50C8D3C2AB&displaylang=en
Microsoft Windows 2000:
http://microsoft.com/downloads/details.aspx?FamilyId=
9EFA4EBD-2068-4742-917D-A2638688C029&displaylang=en
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-019 *****]
Microsoft Security Bulletin MS03-019
Flaw in ISAPI Extension for Windows Media Services Could Cause Code
Execution (817772)
Originally posted: May 28, 2003
Updated: May 30, 2003
Summary
Who should read this bulletin: System administrators running Microsoft®
Windows NT 4.0 or Microsoft Windows 2000
Impact of vulnerability: Allow an attacker to execute code of their choice
Maximum Severity Rating: Important
Recommendation: System administrators install the patch at the earliest
available opportunity.
Affected Software:
Microsoft Windows NT 4.0
Microsoft Windows 2000
Non Affected Software:
Microsoft Windows XP
Microsoft Windows Server 2003
Technical details
Technical description:
On May 28th, Microsoft released the initial version of this bulletin,
rating the severity of the vulnerability as Moderate. Subsequent to that
release we have determined that the actions an attacker could take as a
result of exploiting this vulnerability could include the ability to
execute arbitrary code. As a result Microsoft has reissued this bulletin
and changed the severity rating to Important. The original patch corrects
the vulnerability and is not being re-released.
Microsoft Windows Media Services is a feature of Microsoft Windows 2000
Server, Advanced Server, and Datacenter Server and is also available as
a downloadable version for Windows NT 4.0 Server. Windows Media Services
contain support for a method of delivering media content to clients across
a network known as multicast streaming. In multicast streaming however,
the server has no connection or knowledge of the clients that may be
receiving the stream coming from the server. To facilitate logging of
client information for the server Windows 2000 includes a capability
specifically designed for that purpose. To help with this problem,
Windows 2000 includes logging capabilities for multicast and unicast
transmissions.
This capability is implemented as an Internet Services Application
Programming Interface (ISAPI) extension – nsiislog.dll. When Windows
Media Services are installed in Windows NT 4.0 Server or added through
add/remove programs to Windows 2000, nsiislog.dll is installed to the
Internet Information Services (IIS) Scripts directory on the server.
There is a flaw in the way in which nsiislog.dll processes incoming
requests. A vulnerability exists because an attacker could send specially
formed communications to the server that could cause IIS to fail or execute
code on the user's system.
Windows Media Services is not installed by default on Windows 2000, and must
be downloaded to install on Windows NT 4.0. An attacker attempting to exploit
this vulnerability would have to be aware which computers on the network had
Windows Media Services installed on it and send a specific request to that
server.
Mitigating factors:
Windows Media Services 4.1 is not installed by default on Windows 2000, and
must be downloaded to install on Windows NT 4.0.
Windows Media Services are not available for Windows 2000 Professional or
Windows NT 4.0 Workstation
The attacker would have to know which server on the network Windows Media
Services had been installed on.
Severity Rating:
Windows NT 4.0 Important
Windows 2000 Important
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0227
Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server
2003 to assess whether they are affected by these vulnerabilities. Previous
versions are no longer supported, and may or may not be affected by these
vulnerabilities.
Patch availability
Download locations for this patch
Microsoft Windows NT 4.0:
http://microsoft.com/downloads/details.aspx?FamilyId=
8D7E3716-1AA7-4EDC-B084-7D50C8D3C2AB&displaylang=en
Microsoft Windows 2000:
http://microsoft.com/downloads/details.aspx?FamilyId=
9EFA4EBD-2068-4742-917D-A2638688C029&displaylang=en
Additional information about this patch
Installation platforms:
The Windows NT 4.0 patch can be installed on systems running Service Pack 6a.
The Windows 2000 patch can be installed on systems running Windows 2000
Service Pack 2 or Service Pack 3.
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 4.
Reboot needed: No.
Patch can be uninstalled: No.
Superseded patches: None.
Verifying patch installation:
To verify that the patch has been installed on the machine, confirm that
the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Updates\Windows Media Services\wm817772
To verify the individual files, use the date/time and version information
provided in Knowledge Base article 817772.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in
“Patch Availability”.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
Security patches are available from the Microsoft Download Center, and can be
most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Brett Moore for reporting this issue to us and working with
us to protect customers.
Support:
Microsoft Knowledge Base article 817772 discusses this issue and will be
available approximately 24 hours after the release of this bulletin. Knowledge
Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There
is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the possibility
of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation
may not apply.
Revisions:
V1.0 May 28, 2003: Bulletin Created.
V2.0 May 30, 2003: Re-released bulletin with new rating of Important to
reflect additional action an attacker could take.
[***** End Microsoft Security Bulletin MS03-019 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
N-090: Red Hat mod_auth_any Vulnerabilities
N-091: Sun Cobalt PHP SafeMode Vulnerability
N-092: Microsoft Flaw in Windows Media Player Skins
N-093: Cisco VPN 3000 Concentrator Vulnerabilities
N-094: HP Potential Security Vulnerability in wall(1M)
N-095: Red Hat Multiple Vulnerabilities in KDE
N-096: Red Hat New Kernel Fixes Local Security Issues
N-097: Red Hat Updated Tcpdump Packages
N-098: Microsoft Cumulative Patch for Internet Information Service (IIS)
N-099: Apache 2.0.46 Release Fixes Security Vulnerabilities
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
