__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

Microsoft Flaw in ISAPI Extension for Windows Media Services Could Cause 
Code Execution
                     [Microsoft Security Bulletin MS03-022]

June 25, 2003 20:00 GMT                                           Number N-109
______________________________________________________________________________
PROBLEM:       There is a flaw in the way nsiislog.dll processes incoming 
               client requests. 
SOFTWARE:      Microsoft Windows 2000 
DAMAGE:        An attacker could send specially formed HTTP request to the 
               server that could cause IIS to fail or execute code on the 
               user's system. 
SOLUTION:      Apply patch as stated in Microsoft's security bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker attempting to exploit this 
ASSESSMENT:    vulnerability would have to be aware which computers on the 
               network had Windows Media Services installed on it and send a 
               specific request to that server. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-109.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/
                      default.asp?url=/technet/security/bulletin/MS03-022.asp 
______________________________________________________________________________

[***** Start Microsoft Security Bulletin MS03-022 *****]

Microsoft Security Bulletin MS03-022 

Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution 
(822343)
Originally posted: June 25, 2003

Summary

Who should read this bulletin: System administrators running Microsoft® 
Windows® 2000 

Impact of vulnerability: Allow an attacker to execute code of their choice 

Maximum Severity Rating: Important 

Recommendation: System administrators should install the patch at the earliest 
available opportunity. 

End User Bulletin: An end user version of this bulletin is available at: 

http://www.microsoft.com/security/security_bulletins/ms03-022.asp. 

Affected Software: 

* Microsoft Windows 2000 

Not Affected Software Versions:

* Windows NT 4.0 
* Microsoft Windows XP 
* Microsoft Windows Server 2003 

 Technical details

Technical description: 

Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, 
Advanced Server, and Datacenter Server and is also available in a downloadable 
version for Windows NT 4.0 Server. Windows Media Services contains support for 
a method of delivering media content to clients across a network known as 
multicast streaming. In multicast streaming, the server has no connection to or 
knowledge of the clients that may be receiving the stream of media content 
coming from the server. To facilitate logging of client information for the 
server, Windows 2000 includes a capability specifically designed to enable 
logging for multicast transmissions. 

This logging capability is implemented as an Internet Services Application 
Programming Interface (ISAPI) extension – nsiislog.dll. When Windows Media 
Services are added through add/remove programs to Windows 2000, nsiislog.dll 
is installed in the Internet Information Services (IIS) Scripts directory on 
the server. Once Windows Media Services is installed, nsiislog.dll is 
automatically loaded and used by IIS.

There is a flaw in the way nsiislog.dll processes incoming client requests. 
A vulnerability exists because an attacker could send specially formed HTTP 
request (communications) to the server that could cause IIS to fail or execute 
code on the user's system. 

Windows Media Services is not installed by default on Windows 2000. An attacker 
attempting to exploit this vulnerability would have to be aware which computers 
on the network had Windows Media Services installed on it and send a specific 
request to that server. 

Mitigating factors: 

* Windows Media Services 4.1 is not installed by default on Windows 2000. 
* Windows Media Services are not available for Windows 2000 Professional. 

Severity Rating: Windows 2000 Important 
The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 

Vulnerability identifier: CAN-2003-0349 

Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 to 
assess whether they are affected by these vulnerabilities. Previous versions are no 
longer supported, and may or may not be affected by these vulnerabilities.

Patch availability

Download locations for this patch 

* Microsoft Windows 2000: 
http://microsoft.com/downloads/
  details.aspx?FamilyId=F772E131-BBC9-4B34-9E78-F71D9742FED8&displaylang=en 

 Additional information about this patch

Installation platforms: 
This patch can be installed on systems running Microsoft Windows 2000 Service Pack 2, 
Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4.
 
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5. 

Reboot needed: No. 

Patch can be uninstalled: No. 

Superseded patches: This patch supercedes the patch provided with MS03-019. 

Verifying patch installation: 

* To verify that the patch has been installed on the machine, confirm that the following 
  registry key has been created on the machine: 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Services\wm822343 

* To verify the individual files, use the date/time and version information provided in 
  Knowledge Base article 822343. 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in “Patch 
Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be most 
  easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 

Acknowledgments
Microsoft thanks  Brett Moore for reporting this issue to us and working with us to protect 
customers. 

Support: 

* Microsoft Knowledge Base article 822343 discusses this issue and will be available 
  approximately 24 hours after the release of this bulletin. Knowledge Base articles can be 
  found on the Microsoft Online Support web site. 
* Technical support is available from Microsoft Product Support Services. There is no charge 
  for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty 
of any kind. Microsoft disclaims all warranties, either express or implied, including the 
warranties of merchantability and fitness for a particular purpose. In no event shall 
Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special damages, even if 
Microsoft Corporation or its suppliers have been advised of the possibility of such damages. 
Some states do not allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply. 

Revisions: 

* V1.0 (June 25, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-022 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-099: Apache 2.0.46 Release Fixes Security Vulnerabilities
N-100: Microsoft Windows Media Services ISAPI Extenstion Flaw
N-101: Microsoft Cumulative Patch for Internet Explorer (IE)
N-102: Hewlett-Packard Potential Security Vulnerabilities in CDE
N-103: Sun ONE Application Server May Disclose JavaServer Pages (JSP) Source
N-104: Red Hat Updated KDE packages 
N-105: Sun "/usr/lib/utmp_update" Command Buffer Overflow Vulnerability
N-106: SGI Websetup/Webmin Security Vulnerability
N-107: PDF readers/viewers Malicious Hyperlinks Vulnerability
N-108: Sun's XSun Program Buffer Overflow Vulnerability