Microsoft Security Bulletin MS00-097

Technical description:

When a connection to a Windows Media server is made, then severed, using a particular sequence of TCP/IP packets, the Windows Media Unicast Service does not release all of the resources allocated to the connection. By repeatedly making and then severing connections in this manner, a malicious user could exhaust the resources on a server, thereby preventing it from providing streaming media services.

If an affected server were attacked via this vulnerability, the server operator could restore normal operation by restarting the Windows Media Service. Any sessions that were in progress would be lost, but users could immediately reconnect and resume normal use.

What's this bulletin about?
Microsoft Security Bulletin MS00-097 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows Media™ Services. Microsoft is committed to protecting customers' information,and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. It could enable a malicious user to cause a Windows Media server to stop providing useful service. The vulnerability would not allow the malicious user to usurp any administrative control over the machine, or to access any data on it.

What causes the vulnerability?
If a connection to a server running the Windows Media Unicast Service was started, then severed, in a particular way, the service would "leak" some of the resources that were allocated during the connection. If this sequence of commands was repeated enough times, it could degrade the server's performance to the point where it would no longer be able to provide useful service.

What is the Windows Media Unicast Service? 
It's easiest to explain the specific service at issue by first discussing a larger technology, the Windows Media Technologies. These technologies provide the ability for servers to supply streaming audio and video, and for clients to receive and play it. The technologies that support streaming media servers are known as the Windows Media Services; the client is the Windows Media Player.
Among the Windows Media Services are ones that support multicasting (i.e., sending audio or video to many customers at once) or unicasting (i.e., sending audio or video to only a single customer). The vulnerability at issue here only affects the Windows Media Unicast Service - the service that provides unicast services.

What's wrong with the connection at issue here?
There really isn't anything wrong with the way the connection is made and then severed. The data packets are all valid, and the requests should, by design, be routine ones. In fact, the Windows Media Unicast Service actually does create and sever the connection correctly, at least from the client's perspective. The problem is that in doing so, the service leaks resources.

What do you mean when you say that the service "leaks" resources?
When a connection is initially established, the service allocates resources like memory, file handles, and so forth. When the connection is eventually ended, the service should recover all of the resources and make them available for use again However, in the case at issue here, the resources aren't returned. As a result, the available pool of resources could gradually decline to the point where it interferes with normal server operation.

Does the leak occur whenever a connection is severed?
No. It only happens when a connection is made, and then severed, in a particular way. There are many packet sequences that can create and then sever a connection, and only one particular sequence causes the vulnerability to occur.

How could an affected server be put back into normal operation?
Normal service could be restored by restarting the Windows Media Unicast Service. Any unicast sessions that were in progress when the service was restarted would be lost, but the users could immediately make new connections.

Is there any way to use this vulnerability to take over a Windows Media server?
No. This is a denial of service vulnerability only.

Who should use the patch?
Microsoft recommends that customers using Windows Media Service consider installing the patch.

What does the patch do?
The patch eliminates the vulnerability by causing Windows Media Service to correctly handle the series of packets at issue here

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package.The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Download locations for this patch

• http://www.microsoft.com/downloads/details.aspx?FamilyId=C5892A8F-F300-4DBA-8A44-1ADFD78EE177&displaylang=en

  Note: Windows Media Services 4.1 ships as part of Windows 2000, and the patch for Windows Media Services 4.1 can be applied atop Windows 2000 Gold, SP1, or SP2. The fix will be incorporated into Windows 2000 SP3.

  Note: Windows Media Services 4.0 does not ship as part of any other product. The patch for Windows Media Services 4.0 can be applied to any machine already running the product, and will not be included in any other product's future service packs.