Security Bulletin

Microsoft Security Bulletin MS00-064 - Important

Patch Available for 'Unicast Service Race Condition' Vulnerability

Published: September 06, 2000

Version: 1.0

Originally posted: September 06, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows Media™ Services. The vulnerability could allow a malicious user to prevent an affected server from providing useful service.

Affected Software:

• Microsoft Windows Media Services 4.0
• Microsoft Windows Media Services 4.1

Vulnerability Identifier: CVE-2000-0849

General Information

Technical details

Technical description:

If a client sends a particular type of malformed request to a Windows Media server, it could induce a race condition. Once the server has been put into such a state, subsequent requests - even ones that would normally be legitimate - could cause the Windows Media Unicast Service to fail. If this happened, any ongoing sessions would be lost, and the server would stop providing unicast streaming media services.

An affected server could be put back into service by restarting the Unicast Service. The vulnerability would not cause any data loss, nor would it enable the malicious user to usurp any administrative privileges on the machine.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-064 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows Media™ Services. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. If a malicious user sent a particular type of request to a Windows Media server, it could cause the server to enter a state that could culminate in the failure of one of the services. The failure of the service would prevent the server from providing on-demand streaming media until it was restarted. The vulnerability would not allow the malicious user to usurp any administrative control over the server or to access any data on it. Only one type of streaming media session - unicast sessions - would be halted; multicast and other sessions would not be affected by the vulnerability.

What causes the vulnerability?
The vulnerability results because a particular type of malformed client request can, under very restricted conditions, cause a Windows Media server to enter a race condition. Ultimately, such a condition could result in the failure of the Windows Media Unicast Service.

What's the Windows Media Unicast Service?
The Windows Media Unicast Service is one of the Windows Media Services, which is a family of services that enable digital content providers to send streaming media to customers. There are four services in the family:

• Windows Media Unicast Service, which allows streaming media to be sent to a specific end user.
• Windows Media Station Service, which allows a single stream of media to be sent to multiple end users at once.
• Windows Media Program Service, which controls how many times a group of streams is played.
• Windows Media Monitor Service, which enables the digital content provider to monitor end users connected to publishing points.

Only the Unicast Service is involved in this vulnerability. It could not be used against the other three services.

Why would a race condition cause the Unicast Service to fail?
By itself, it wouldn't. A race condition is a necessary but not sufficient condition for causing the crash. That is, the race condition wouldn't cause the crash, but it would create an environment in which a subsequent request - including normally-acceptable ones - could cause the failure. It isn't possible to specify what type of request would cause this happen, though, as the circumstances would change each time the vulnerability was exploited. It could therefore be difficult for a malicious user to exploit this vulnerability with any degree of reproducibility.

So, what exactly is the vulnerability here?
The vulnerability lies in the ability of a malformed request to put the Unicast Service into a race condition. If it were not possible to do that, the crash could not result.

Could this vulnerability be exploited accidentally?
No. Only a specific client request, made in a particular way, would cause the race condition to occur. No legitimate client generates a request with these characteristics.

Could this vulnerability be exploited remotely?
Yes. Windows Media servers are frequently used to provide service over the Internet, and in such a case the vulnerability could be exploited by any Internet user. However, if a Windows Media server were being used solely on an intranet and a firewall were in place and configured to block port 1755, the server could not be attacked by malicious users outside of the firewall.

What would be needed in order to put an affected server back into service?
The Windows Media Services Unicast Service would need to be restarted from the Services Manager. No other steps would need to be taken.

Would the failure cause any data to be lost?
No. However, any unicast sessions that were underway at the time of the failure would be interrupted, and would need to be re-established.

Would I need to restart any of the other Windows Media Services?
No. The vulnerability only affects the Unicast Service.

Who should apply the patch?
All customers running Windows Media Services on either Windows NT 4.0 Server or Windows 2000 Server should apply this patch.

• Customers using Windows Media Services on Windows NT 4.0 Server should upgrade to Windows Media Services 4.1 before applying the patch.
• Windows 2000 Server includes Windows Media Services 4.1, so the patch can be applied directly to this configuration.

What does the patch do?
The patch eliminates the vulnerability by providing more stringent protocol checking to prevent the race condition from being initiated.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.

How can I tell if I installed the patch correctly?
The vulnerability lies in the ability of a malformed request to put the Unicast Service into a race condition. If it were not possible to do that, the crash could not result.

What is Microsoft doing about this issue?

• Microsoft has delivered a patch that eliminates the vulnerability.
• Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
• Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
• Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

• Microsoft Windows Media Services 4.1:
  https://www.microsoft.com/download/details.aspx?FamilyId=BF954D4E-3C89-47EF-92E6-5030288731EF&displaylang;=en

  Note: Customers using Windows Media Services 4.0 should upgrade to Windows Media Services 4.1 and then apply the above patch.

Additional information about this patch

Installation platforms: Please see the following references for more information related to this issue.

• Microsoft Knowledge Base (KB) article Q273014, https:.

Other information:

Acknowledgments

Microsoft thanks  Kit Knox of NaviSite (www.navisite.com) for reporting this issue to us and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at </https:>https:.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• September 06, 2000: Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00 </https:>