Microsoft Security Bulletin (MS00-013): Frequently Asked Questions
What's this bulletin about?
Microsoft Security Bulletin MS00-013 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows Media Services. The vulnerability could allow denial of service attacks against a streaming media server. Microsoft is committed to protecting its customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could allow a malicious user to crash a streaming media multicast service. The service could be put back into operation by restarting the Windows Media Unicast Service.
The vulnerability would not allow the malicious user to usurp any administrative control over the machine or to access any data on it. However, any streaming media sessions that were in effect at the time of the attack would be interrupted.
What causes the vulnerability?
The vulnerability exists because the Windows Media server expects the packets in the handshake sequence with the client to occur in a particular order. If the packets are sent in a particular order and with particular timing, it is possible to cause the Windows Media Unicast Service to crash.
Why does sending the packets out of order cause a crash?
The handshake sequence between a Windows Media server and a client is used to allocate and initialize resources needed to support a streaming media session. The handshake sequence is asynchronous - it occurs in a particular order, and the client proceeds to the next step only when the server acknowledges that it has completed the previous one.
The vulnerability results because the malformed handshake sequence causes a resource to be used before it is initialized. This causes it to fail in a catastrophic manner, and the Windows Media Unicast Service crashes as a result.
Could this occur accidentally?
No. Only a specific handshake sequence will cause a crash, and even then it is subject to timing considerations. No legitimate client generates a handshake sequence with these characteristics.
Could this vulnerability be exploited remotely?
Yes. The handshake sequence at issue here is one involving a client on a different machine. However, if a Windows Media Server were being used solely on an intranet and a firewall were in place and configured to block port 1755, the server could not be attacked by malicious users outside of the firewall.
What would be needed in order to put an affected server back into service?
The Windows Media Unicast Service would need to be restarted from the Services Manager. No other steps would need to be taken.
Who should apply the patch?
All customers running Windows Media Services on either Windows NT Server 4.0 or Windows 2000 Server should apply this patch. Windows NT Server 4.0 customers should upgrade their Windows Media Services installation to Windows Media Services 4.1 before applying the patch. Windows 2000 Server includes Windows Media Services 4.1, so the patch can be applied directly to this configuration.
What does the patch do?
The patch eliminates the vulnerability by providing more stringent protocol checking to deny invalid requests.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How can I tell if I installed the patch correctly?
Knowledge Base article 253943 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has developed a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and patch in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.