N-100: Microsoft Windows Media Services ISAPI Extenstion Flaw

   
[***** Start Microsoft Security Bulletin MS03-019 *****]

Microsoft Security Bulletin MS03-019  


Flaw in ISAPI Extension for Windows Media Services Could Cause Code 
Execution (817772)
Originally posted: May 28, 2003

Updated: May 30, 2003

Summary
Who should read this bulletin: System administrators running Microsoft® 
Windows NT 4.0 or Microsoft Windows 2000 

Impact of vulnerability: Allow an attacker to execute code of their choice 

Maximum Severity Rating: Important 

Recommendation: System administrators install the patch at the earliest 
available opportunity. 

Affected Software: 

Microsoft Windows NT 4.0 
Microsoft Windows 2000 

Non Affected Software:
Microsoft Windows XP 
Microsoft Windows Server 2003 

Technical details

Technical description: 


On May 28th, Microsoft released the initial version of this bulletin, 
rating the severity of the vulnerability as Moderate. Subsequent to that 
release we have determined that the actions an attacker could take as a 
result of exploiting this vulnerability could include the ability to 
execute arbitrary code. As a result Microsoft has reissued this bulletin 
and changed the severity rating to Important. The original patch corrects 
the vulnerability and is not being re-released. 

Microsoft Windows Media Services is a feature of Microsoft Windows 2000 
Server, Advanced Server, and Datacenter Server and is also available as 
a downloadable version for Windows NT 4.0 Server. Windows Media Services 
contain support for a method of delivering media content to clients across 
a network known as multicast streaming. In multicast streaming however, 
the server has no connection or knowledge of the clients that may be 
receiving the stream coming from the server. To facilitate logging of 
client information for the server Windows 2000 includes a capability 
specifically designed for that purpose. To help with this problem, 
Windows 2000 includes logging capabilities for multicast and unicast 
transmissions.

This capability is implemented as an Internet Services Application 
Programming Interface (ISAPI) extension – nsiislog.dll. When Windows 
Media Services are installed in Windows NT 4.0 Server or added through 
add/remove programs to Windows 2000, nsiislog.dll is installed to the 
Internet Information Services (IIS) Scripts directory on the server. 

There is a flaw in the way in which nsiislog.dll processes incoming 
requests. A vulnerability exists because an attacker could send specially 
formed communications to the server that could cause IIS to fail or execute 
code on the user's system.

Windows Media Services is not installed by default on Windows 2000, and must 
be downloaded to install on Windows NT 4.0. An attacker attempting to exploit 
this vulnerability would have to be aware which computers on the network had 
Windows Media Services installed on it and send a specific request to that 
server. 


Mitigating factors: 

Windows Media Services 4.1 is not installed by default on Windows 2000, and 
must be downloaded to install on Windows NT 4.0. 

Windows Media Services are not available for Windows 2000 Professional or 
Windows NT 4.0 Workstation 

The attacker would have to know which server on the network Windows Media 
Services had been installed on. 

Severity Rating: 
Windows NT 4.0 Important 
Windows 2000 Important 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0227 

Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server 
2003 to assess whether they are affected by these vulnerabilities. Previous 
versions are no longer supported, and may or may not be affected by these 
vulnerabilities.


Patch availability

Download locations for this patch 
Microsoft Windows NT 4.0: 
http://microsoft.com/downloads/details.aspx?FamilyId=8D7E3716-1AA7-4EDC-B084-7D50C8D3C2AB&displaylang=en 
   
Microsoft Windows 2000: 
http://microsoft.com/downloads/details.aspx?FamilyId=9EFA4EBD-2068-4742-917D-A2638688C029&displaylang=en 

Additional information about this patch

Installation platforms: 

The Windows NT 4.0 patch can be installed on systems running Service Pack 6a. 

The Windows 2000 patch can be installed on systems running Windows 2000 
Service Pack 2 or Service Pack 3.

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 4. 

Reboot needed: No. 

Patch can be uninstalled: No. 

Superseded patches: None. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, confirm that 
the following registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Updates\Windows Media Services\wm817772 

To verify the individual files, use the date/time and version information 
provided in Knowledge Base article 817772. 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in 
“Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments
Microsoft thanks  Brett Moore for reporting this issue to us and working with 
us to protect customers. 

Support: 

Microsoft Knowledge Base article 817772 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. Knowledge 
Base articles can be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There 
is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the possibility 
of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages so the foregoing limitation 
may not apply. 

Revisions: 

V1.0 May 28, 2003: Bulletin Created. 
V2.0 May 30, 2003: Re-released bulletin with new rating of Important to 
reflect additional action an attacker could take. 

[***** End Microsoft Security Bulletin MS03-019 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/