Microsoft Security Bulletin (MS00-097) - Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows Media Server which allows malicious users to degrade the performance of a Windows Media server to the point where it could no longer provide useful service. When a connection to a Windows Media server is made, then severed, using a particular sequence of TCP/IP packets, the Windows Media Unicast Service does not release all of the resources allocated to the connection. When repeatedly making and then severing connections in this manner, malicious users can exhaust the resources of the server. Microsoft FAQ on this issue available here.
613f0a1ea210493f1edac7eb5a50da9377cf301c0cd903f10d888953a7de0f9e
Microsoft Security Bulletin (MS00-097)
Patch Available for Severed Windows Media Server Connection
Vulnerability
Originally posted: December 15, 2000
Summary
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft® Windows Media Services. The vulnerability
could allow a malicious user to degrade the performance of a Windows
Media server, possibly to the point where it could no longer provide
useful service.
Frequently asked questions regarding this vulnerability and the patch
can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-097.asp
Issue
When a connection to a Windows Media server is made, then severed,
using a particular sequence of TCP/IP packets, the Windows Media
Unicast Service does not release all of the resources allocated to the
connection. By repeatedly making and then severing connections in this
manner, a malicious user could exhaust the resources on a server,
thereby preventing it from providing streaming media services.
If an affected server were attacked via this vulnerability, the server
operator could restore normal operation by restarting the Windows
Media Service. Any sessions that were in progress would be lost, but
users could immediately reconnect and resume normal use.
Affected Software Versions
* Microsoft Windows Media Services 4.0
* Microsoft Windows Media Services 4.1
Patch Availability
* http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26470
Note: Windows Media Services 4.1 ships as part of Windows 2000, and
the patch for Windows Media Services 4.1 can be applied atop Windows
2000 Gold or SP1. The fix will be incorporated into Windows 2000 SP3.
Note: Windows Media Services 4.0 does not ship as part of any other
product. The patch for Windows Media Services 4.0 can be applied to
any machine already running the product, and will not be included in
any other product's future service packs.
Note Additional security patches are available at the Microsoft
Download Center
More Information
Please see the following references for more information related to
this issue.
* Frequently Asked Questions: Microsoft Security Bulletin MS00-097,
http://www.microsoft.com/technet/security/bulletin/fq00-097.asp
* Microsoft Knowledge Base article Q281256 discusses this issue and
will be available soon.
* Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp
Obtaining Support on this Issue
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at
http://support.microsoft.com/support/contact/default.asp.
Acknowledgments
Microsoft thanks NTT Communications (http://www.ntt.com) for
reporting this issue to us and working with us to protect customers.
Revisions
* December 15, 2000: Bulletin Created.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT APPLY.
Last updated December 15, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of use.