|
|
|
|
| |
| Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows Media-Services. The vulnerability could allow a malicious user to degrade the performance of a Windows Media server, possibly to the point where it could no longer provide useful service. |
| |
Credit:
Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-097.asp
|
| |
When a connection to a Windows Media server is made, then severed, using a particular sequence of TCP/IP packets, the Windows Media Unicast Service does not release all of the resources allocated to the connection. By repeatedly making and then severing connections in this manner, a malicious user could exhaust the resources on a server, thereby preventing it from providing streaming media services.
If an affected server were attacked via this vulnerability, the server operator could restore normal operation by restarting the Windows Media Service. Any sessions that were in progress would be lost, but users could immediately reconnect and resume normal use.
Affected Software Versions
Microsoft Windows Media Services 4.0
Microsoft Windows Media Services 4.1
Patch Availability
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26470
Note: Windows Media Services 4.1 ships as part of Windows 2000, and the patch for Windows Media Services 4.1 can be applied atop Windows 2000 Gold or SP1. The fix will be incorporated into Windows 2000 SP3.
Note: Windows Media Services 4.0 does not ship as part of any other product. The patch for Windows Media Services 4.0 can be applied to any machine already running the product, and will not be included in any other product's future service packs.
What?s the scope of the vulnerability?
This is a denial of service vulnerability. It could enable a malicious user to cause a Windows Media server to stop providing useful service. The vulnerability would not allow the malicious user to usurp any administrative control over the machine, or to access any data on it.
What causes the vulnerability?
If a connection to a server running the Windows Media Unicast Service was started, then severed, in a particular way, the service would "leak" some of the resources that were allocated during the connection. If this sequence of commands was repeated enough times, it could degrade the server?s performance to the point where it would no longer be able to provide useful service.
What is the Windows Media Unicast Service?
It's easiest to explain the specific service at issue by first discussing a larger technology, the Windows Media Technologies. These technologies provide the ability for servers to supply streaming audio and video, and for clients to receive and play it. The technologies that support streaming media servers are known as the Windows Media Services; the client is the Windows Media Player.
Among the Windows Media Services are ones that support multicasting (i.e., sending audio or video to many customers at once) or unicasting (i.e., sending audio or video to only a single customer). The vulnerability at issue here only affects the Windows Media Unicast Service - the service that provides unicast services.
What?s wrong with the connection at issue here?
There really isn?t anything wrong with the way the connection is made and then severed. The data packets are all valid, and the requests should, by design, be routine ones. In fact, the Windows Media Unicast Service actually does create and sever the connection correctly, at least from the client?s perspective. The problem is that in doing so, the service leaks resources.
What do you mean when you say that the service "leaks" resources?
When a connection is initially established, the service allocates resources like memory, file handles, and so forth. When the connection is eventually ended, the service should recover all of the resources and make them available for use again However, in the case at issue here, the resources aren?t returned. As a result, the available pool of resources could gradually decline to the point where it interferes with normal server operation.
Does the leak occur whenever a connection is severed?
No. It only happens when a connection is made, and then severed, in a particular way. There are many packet sequences that can create and then sever a connection, and only one particular sequence causes the vulnerability to occur.
How could an affected server be put back into normal operation?
Restarting the Windows Media Unicast Service can restore normal service. Any unicast sessions that were in progress when the service was restarted would be lost, but the users could immediately make new connections.
Is there any way to use this vulnerability to take over a Windows Media server?
No. This is a denial of service vulnerability only.
Who should use the patch?
Microsoft recommends that customers using Windows Media Service consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by causing Windows Media Service to correctly handle the series of packets at issue here
|
|
|
|
|
|
|
