Microsoft on Wednesday warned of a security flaw in the
ISAPI extension for Windows Media Services that could lead to code execution
on Windows 2000 systems.
In an advisory, Microsoft tagged an “important”
rating to the vulnerability and urged systems admins to install a patch at
the earliest opportunity.
The company said the flaw was detected in the logging capability of
Windows Media Services, which is used for the delivery of media content to
clients across a network (multicast streaming).
“In multicast streaming, the server has no connection to or knowledge of
the clients that may be receiving the stream of media content coming from
the server,” the company said, explaining that Windows 2000 includes a
capability specifically designed to enable logging for multicast
transmissions.
“There is a flaw in the way (the logging capability) processes incoming
client requests. A vulnerability exists because an attacker could send
specially formed HTTP request to the server that could cause IIS to fail or
execute code on the user’s system,” Microsoft cautioned.
Although Windows Media Services is available for Windows Server 2003,
Windows XP and NT 4.0, the flaw does not affect those software versions.