__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

             Microsoft Windows Media Services ISAPI Extension Flaw
                     [Microsoft Security Bulletin MS03-019]

June 3, 2003 14:00 GMT                                            Number N-100
______________________________________________________________________________
PROBLEM:       Windows Media Services (streaming audio and video) is a feature
               of Microsoft's Windows 2000 Server, Advanced Server, Datacenter
               Server, and Windows NT 4.0 Server. It contains support for
               delivering media content to clients across a network known as
               multicast streaming. This capability is implemented as an
               Internet Services Application Programming Interface (ISAPI)
               extension – nsiislog.dll, and is installed to the Internet
               Information Services (IIS) Scripts directory on the server. A
               flaw in the way nsiislog.dll processes incoming requests has
               been identified.
SOFTWARE:      Microsoft's Window Media Services only when installed on
               Windows 2000 or Windows NT 4.0 servers.
DAMAGE:        By sending specially formed communications to a server running
               Windows Media Services, an attacker might include code which
               may cause a Windows 2000 or Windows NT 4.0 server to fail in
               such a way that could allow code to execute in the security
               context of the IIS service, or execute code of their choice on
               a victim's system.
SOLUTION:      Apply appropriate Microsoft patches as described in MS03-019.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Windows Media Services is not installed by
ASSESSMENT:    default, and this high vulnerability risk only applies when it
               has been installed on Windows 2000 or Windows NT 4.0 servers.
               The attacker would have to be aware of which server on the
               network Windows Media Services had been installed on, and was
               performing logging, in order to cause the server to stop
               responding to IIS requests.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-100.shtml
 ORIGINAL BULLETIN:  http://www.microsoft.com/technet/treeview/default.asp?url=
                     /technet/security/bulletin/MS03-019.asp
 PATCHES:            Microsoft Windows NT 4.0:
                     http://microsoft.com/downloads/details.aspx?FamilyId=
					 8D7E3716-1AA7-4EDC-B084-7D50C8D3C2AB&displaylang=en
                     Microsoft Windows 2000:
                     http://microsoft.com/downloads/details.aspx?FamilyId=
					 9EFA4EBD-2068-4742-917D-A2638688C029&displaylang=en
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS03-019 *****]

Microsoft Security Bulletin MS03-019   


Flaw in ISAPI Extension for Windows Media Services Could Cause Code 
Execution (817772)
Originally posted: May 28, 2003

Updated: May 30, 2003

Summary
Who should read this bulletin: System administrators running Microsoft® 
Windows NT 4.0 or Microsoft Windows 2000 

Impact of vulnerability: Allow an attacker to execute code of their choice 

Maximum Severity Rating: Important 

Recommendation: System administrators install the patch at the earliest 
available opportunity. 

Affected Software: 

Microsoft Windows NT 4.0 
Microsoft Windows 2000 

Non Affected Software:
Microsoft Windows XP 
Microsoft Windows Server 2003 

Technical details

Technical description: 


On May 28th, Microsoft released the initial version of this bulletin, 
rating the severity of the vulnerability as Moderate. Subsequent to that 
release we have determined that the actions an attacker could take as a 
result of exploiting this vulnerability could include the ability to 
execute arbitrary code. As a result Microsoft has reissued this bulletin 
and changed the severity rating to Important. The original patch corrects 
the vulnerability and is not being re-released. 

Microsoft Windows Media Services is a feature of Microsoft Windows 2000 
Server, Advanced Server, and Datacenter Server and is also available as 
a downloadable version for Windows NT 4.0 Server. Windows Media Services 
contain support for a method of delivering media content to clients across 
a network known as multicast streaming. In multicast streaming however, 
the server has no connection or knowledge of the clients that may be 
receiving the stream coming from the server. To facilitate logging of 
client information for the server Windows 2000 includes a capability 
specifically designed for that purpose. To help with this problem, 
Windows 2000 includes logging capabilities for multicast and unicast 
transmissions.

This capability is implemented as an Internet Services Application 
Programming Interface (ISAPI) extension – nsiislog.dll. When Windows 
Media Services are installed in Windows NT 4.0 Server or added through 
add/remove programs to Windows 2000, nsiislog.dll is installed to the 
Internet Information Services (IIS) Scripts directory on the server. 

There is a flaw in the way in which nsiislog.dll processes incoming 
requests. A vulnerability exists because an attacker could send specially 
formed communications to the server that could cause IIS to fail or execute 
code on the user's system.

Windows Media Services is not installed by default on Windows 2000, and must 
be downloaded to install on Windows NT 4.0. An attacker attempting to exploit 
this vulnerability would have to be aware which computers on the network had 
Windows Media Services installed on it and send a specific request to that 
server. 


Mitigating factors: 

Windows Media Services 4.1 is not installed by default on Windows 2000, and 
must be downloaded to install on Windows NT 4.0. 

Windows Media Services are not available for Windows 2000 Professional or 
Windows NT 4.0 Workstation 

The attacker would have to know which server on the network Windows Media 
Services had been installed on. 

Severity Rating: 
Windows NT 4.0 Important 
Windows 2000 Important 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0227 

Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server 
2003 to assess whether they are affected by these vulnerabilities. Previous 
versions are no longer supported, and may or may not be affected by these 
vulnerabilities.


Patch availability

Download locations for this patch 
Microsoft Windows NT 4.0: 
http://microsoft.com/downloads/details.aspx?FamilyId=
   8D7E3716-1AA7-4EDC-B084-7D50C8D3C2AB&displaylang=en 
   
Microsoft Windows 2000: 
http://microsoft.com/downloads/details.aspx?FamilyId=
   9EFA4EBD-2068-4742-917D-A2638688C029&displaylang=en 

Additional information about this patch

Installation platforms: 

The Windows NT 4.0 patch can be installed on systems running Service Pack 6a. 

The Windows 2000 patch can be installed on systems running Windows 2000 
Service Pack 2 or Service Pack 3.

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 4. 

Reboot needed: No. 

Patch can be uninstalled: No. 

Superseded patches: None. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, confirm that 
the following registry key has been created on the machine: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Updates\Windows Media Services\wm817772 

To verify the individual files, use the date/time and version information 
provided in Knowledge Base article 817772. 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in 
“Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 


Security patches are available from the Microsoft Download Center, and can be 
most easily found by doing a keyword search for "security_patch". 

Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments
Microsoft thanks  Brett Moore for reporting this issue to us and working with 
us to protect customers. 

Support: 

Microsoft Knowledge Base article 817772 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. Knowledge 
Base articles can be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. There 
is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional 
information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the possibility 
of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages so the foregoing limitation 
may not apply. 

Revisions: 


V1.0 May 28, 2003: Bulletin Created. 
V2.0 May 30, 2003: Re-released bulletin with new rating of Important to 
reflect additional action an attacker could take. 


[***** End Microsoft Security Bulletin MS03-019 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-090: Red Hat mod_auth_any Vulnerabilities
N-091: Sun Cobalt PHP SafeMode Vulnerability
N-092: Microsoft Flaw in Windows Media Player Skins
N-093: Cisco VPN 3000 Concentrator Vulnerabilities
N-094: HP Potential Security Vulnerability in wall(1M)
N-095: Red Hat Multiple Vulnerabilities in KDE
N-096: Red Hat New Kernel Fixes Local Security Issues
N-097: Red Hat Updated Tcpdump Packages
N-098: Microsoft Cumulative Patch for Internet Information Service (IIS)
N-099: Apache 2.0.46 Release Fixes Security Vulnerabilities