• Article

Security Bulletin

Microsoft Security Bulletin MS03-022 - Important

Vulnerability in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343)

Published: June 25, 2003 | Updated: March 09, 2004

Version: 2.0

Originally posted: June 25, 2003

Revised: March 9, 2004

Summary

Who should read this bulletin: System administrators running Microsoft® Windows® 2000

Impact of vulnerability: Allow an attacker to execute code of their choice

Maximum Severity Rating: Important

Recommendation: System administrators should install the patch at the earliest available opportunity.

End User Bulletin: An end user version of this bulletin is available at:

https:.

Affected Software:

  • Microsoft Windows 2000

Not Affected Software Versions:

  • Windows NT 4.0
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

General Information

Technical details

Subsequent to the release of this update Microsoft was made aware that under certain circumstances the original update provided with this bulletin did not replace the vulnerable file on the hard drive. These situations involved whether or not Windows Media Services was uninstalled previous to the application of the update. Microsoft has addressed this issue and is re-releasing the update on Windows Update and the Microsoft Download Center.

Technical description:

Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions.

This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension - nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS.

There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system.

Windows Media Services is not installed by default on Windows 2000. An attacker attempting to exploit this vulnerability would have to be aware which computers on the network had Windows Media Services installed on it and send a specific request to that server.

Mitigating factors:

  • Windows Media Services 4.1 is not installed by default on Windows 2000.
  • Windows Media Services are not available for Windows 2000 Professional.

Severity Rating:
Windows 2000 Important

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0349

Tested Versions:

Microsoft tested Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why are you re-releasing this update?
Subsequent to the release of this update Microsoft was made aware that under certain circumstances the original update provided with this bulletin did not replace the vulnerable file on the hard drive. These situations involved whether or not Windows Media Services was uninstalled previous to the application of the update. Microsoft has addressed this issue and is re-releasing the update on Windows Update and the Microsoft Download Center.

Should I re-apply the update?
If the vulnerable version of NSIISLOG.DLL is still on the system, you will be offered the update again if you go to Windows Update. You can search your system for the NSIISLOG.DLL file to determine if the update should be applied. To do this, perform the following steps: If you have installed Windows Media Services on Windows 2000 Server, then the nsiislog.dll file is automatically copied to the proper IIS directory and loaded. To determine if nsiislog.dll is installed on the computer, perform the following steps:

  1. From the Start Menu, click search.
  2. Click For Files or Folders
  3. In the search dialog, type in the file name, NSIISLOG.DLL
  4. Click Search Now.
  5. If the file is not present, you do not need to apply this update. If the file is present, right click the file and choose properties.
  6. Click the Version tab
  7. If the file version is less than 4.1.0.3932, you should apply this re-released update.

What's the scope of the vulnerability?
This is a Buffer Overrun vulnerability. An attacker who successfully exploited this vulnerability could cause a Windows 2000 server that was performing streaming media logging to fail in a way that could allow code to execute in the security context of the IIS service.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by constructing a specific network request and sending it to the server running Windows Media Services. The attacker would have to know which server on the network or Internet had Windows Media Services installed in order to cause the server to stop responding to IIS requests or cause code to execute in the server.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to execute code of his or her choice on a computer running IIS with Windows Media Services installed. The code would execute in the context of the account under which IIS was running, which could allow the attacker to take any action on the system.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer used by nsiislog.dll, the streaming media component that is used to log multicast requests. If a specially crafted request was sent to the server, the logging program would attempt to write a larger buffer than was available, which then in turn could cause the IIS service to fail and could allow code of the attacker's choice to execute.

What is nsiislog.dll?
Nsiislog.dll is an IIS ISAPI extension that is included with Windows 2000 Server. It provides logging capabilities for Media Streaming in Microsoft Windows Media Services. It is installed and used automatically whenever Windows Media Services are installed on a computer.

What versions of IIS might be affected by the vulnerable version of nsiislog.dll?
The vulnerable version of nsiislog.dll can be installed on IIS 5.0.

What products does IIS 5.0 ship with?
Internet Information Service 5.0 is included with Windows 2000 Datacenter Server, Advanced Server, Server and Professional.

Does IIS 5.0 run by default?
IIS 5.0 runs by default on all Windows 2000 server products. It does not run by default on Windows 2000 Professional.

What are Microsoft Windows Media Services?
Windows Media Services is a feature of Windows 2000 Server, Advanced Server, and Datacenter Server and provides streaming audio and video services for use over corporate intranets and the Internet.

Can I install Windows Media Services on Windows 2000 Professional?
No - Windows Media Services are only available for Microsoft Windows Server operating systems, such as Windows 2000 Server, Advanced Server and Datacenter Server.

Does this vulnerability affect Windows Media Services on Windows NT 4.0?
That depends. If you have applied the previous patch for Windows Media Servers from security bulletin MS03-019, this vulnerability does not affect Windows NT 4.0.

What is Multicast Media Streaming?
Multicast media streaming is a method of delivering media content to clients across a network. In contrast to unicast media streaming, multicasting sends a single copy of the data that can be received by any clients that request it. Multiple copies of data are not sent across the network, nor is data processed by clients who do not request it. For more information on Multicast Media Streaming, please see the following web site: </https:>https:

How can I determine whether someone has set up my computer to perform multicast streaming media logging?
If you have installed Windows Media Services on Windows 2000 Server, then the nsiislog.dll file is automatically copied to the proper IIS directory and loaded. To determine if nsiislog.dll is installed on the computer, perform the following steps:

  • From the Start Menu, click search.
  • Click For Files or Folders
  • In the search dialog, type in the file name, NSIISLOG.DLL
  • Click Search Now.

If the file NSIISLOG.DLL is present in any directory shared by IIS, then the server is configured for logging clients of multicast streams.

What does the Patch do?
The fix eliminates the vulnerability by ensuring that the Nsiislog.dll file correctly responds to requests.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Microsoft Windows 2000 Service Pack 2, Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 5.

Reboot needed: No.

Patch can be uninstalled: No.

Superseded patches: This patch supercedes the patch provided with MS03-019.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Services\wm822343

  • To verify the individual files, use the date/time and version information provided in Knowledge Base article 822343.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Brett Moore for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 822343 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (June 25, 2003): Bulletin Created.

    V2.0 (March 9, 2004): Bulletin updated to reflect re-release of update to address install issues.

Built at 2014-04-18T13:49:36Z-07:00 </https:>