What's this bulletin about?
Microsoft Security Bulletin MS00-038 announces the availability of a patch that eliminates a vulnerability in a component of Microsoft® Windows® Media Technologies. The vulnerability could allow a malicious user to interfere with broadcasts of digital audio and video. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could use it to prevent a streaming media provider from preparing digital content such as audio and video for transmission. The vulnerability would not prevent a streaming media provider from serving previously-prepared content, but it could prevent it from preparing new content. This could be particularly important to providers who broadcast audio or video in real time.
The affected service could be put back into service by restarting it; it would not be necessary to restart the server. Also, locating the server could require that the malicious user already have an unusual degree of access to the network.
What causes the vulnerability?
The vulnerability results because a component of the Windows Media Tools - the Windows Media Encoder - does not correctly handle a particular type of malformed request. Receiving such a request could cause the Encoder to fail.
What are the Windows Media Tools?
They're part of the Windows Media Technologies (WMT). WMT is a broad array of technologies for creating and distributing streaming audio and video, music, webcasts, and other digital media. Windows Media Tools is a toolset that enables streaming media providers to create the content they'll distribute via Windows Media Services in Windows NT 4.0 and Windows 2000 Server.
What's Windows Media Encoder?
Windows Media Encoder is a component of the Windows Media Tools. It's used to convert, or encode, audio or video into a format that can be distributed via the Windows Media Server. It's most commonly used to encode live audio or video for real-time broadcast, but it also can be used to encode video or audio into a Windows Media file for distribution and playback at a later time.
The Windows Media Encoder generally resides on a separate server from the Windows Media Server. It sits upstream of the media server, preparing streamable data. It forwards the data to the media server, which handles the actual broadcast and distribution of the content.
What would the vulnerability allow a malicious user to do?
If a malicious user sent a request with a particular malformation to an affected encoder, it could cause the encoder to fail. This would not cause the server to crash, and the encoder could be put back into service simply by restarting it.
Why would the malformed request cause the encoder to fail?
The request causes the encoder to request more memory than exists on the server.
What effect would an attack via this vulnerability have on the Windows Media Server?
It wouldn't have any direct effect on the Windows Media Server. The vulnerability doesn't affect the Windows Media Server, and wouldn't allow the malicious user to cause it to fail. However, by causing the encoder to fail, the malicious user could deny digital content to the media server.
The effect of such an attack would depend on the type of digital media that's being distributed. If the media server primarily provides static files - that is, files of pre-existing audio or video that customers can download and play - an attack might not be noticeable to end users. However, if the media server provides real-time broadcasts, such as live audio or video, the loss of the encoder would cause the broadcast to fail.
Is it easy to locate the server on which the encoder is running?
No. Although the encoder does typically reside on the Internet, its address isn't usually published, because it typically only communicates with the Windows Media Server. In order to attack an encoder, the malicious user would first need to determine the server's IP address.
Could an affected encoder be put back into service?
Yes. The operator would just need to restart the service. It would not be necessary to reboot the machine.
Could this vulnerability be exploited accidentally?
No. It requires that a very specific type of invalid request be sent to the encoder. No client software would generate this type of request - in fact, as discussed above, clients do not communicate directly with the encoder at all.
What machines are primarily at risk from this vulnerability?
This vulnerability would primarily affect Windows Media Encoder servers that are used to encode digital content for real-time broadcast.
Who should use the patch?
Streaming media providers using one of the affected versions of the Windows Media Encoder, and whose encoder server is not protected by a firewall should apply the patch.
I'm a home user and use Windows Media Player. Does this vulnerability affect me?
No. This vulnerability only affects digital media providers. It does not affect digital media clients.
What does the patch do?
The patch installs a new version of the Windows Media Technologies 4.1 encoder - one that correctly handles the malformed request at issue here. It's suitable for use by customers using either Windows Media Technologies 4.0 or 4.1.
How do I use the patch?
Knowledge Base article Q246133 contains detailed instructions for applying the patch to your site
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How can I tell if I installed the patch correctly?
Knowledge Base articleQ246133 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article
What is Microsoft doing about this issue?
- Microsoft has developed a procedure that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
