Microsoft released two security bulletins on Wednesday, warning of security holes in its Web server software and in Windows Media Services affecting various versions of the Windows operating system.
The vendor released a cumulative patch for its IIS (Internet Information Services or Internet Information Server) Web server software, a component of Windows NT 4.0, Window 2000 and Windows XP. The patch includes earlier patches for the Web server as well as four new fixes, Microsoft said in Bulletin MS03-018.
The IIS flaws newly patched in bulletin MS03-018 have various severity ratings. Most serious, according to Microsoft, is a denial of service vulnerability that could allow an attacker to cause IIS versions 5.0 and 5.1 to fail. The cumulative patch is for IIS versions 4.0, 5.0 and 5.1 and is rated "important" by Microsoft.
The second bulletin released Wednesday addresses a flaw in Windows Media Services, software for streaming media over a network. It affects Windows NT 4.0 and Windows 2000. The flaw involves the way the software handles incoming requests. Exploiting that flaw could cause IIS on the affected system to stop handling Internet requests, resulting in denial of service, Microsoft said in Bulletin MS03-019.
Windows Media Services is included with Windows 2000 but not installed by default. It is a downloadable option on Windows NT 4.0, Microsoft said. This flaw is rated "moderate" by Microsoft.
However, Marc Maiffret, chief hacking officer at eEye Digital Security, said Microsoft is underestimating the flaw. The Windows Media Services vulnerability is exploitable and an attacker could gain control over a vulnerable system, Maiffret wrote in a posting to the Windows NTBugtraq Mailing List after Microsoft issued the bulletin. The exploit was confirmed in the eEye labs and the discoverer of the flaw, Maiffret wrote, urging Microsoft to update its bulletin.
Microsoft, in response to Maiffret, said it did an assessment and a reassessment of the scope of the vulnerability before posting the bulletin.
"We believe it is a denial of service and we still believe that," said Iain Mulholland, security program manager at Microsoft. "We have investigated the vulnerability and we have rated it a denial of service. If we find out otherwise, we will absolutely rerate the bulletin to whatever is appropriate."
Mulholland stressed that regardless of the impact of the vulnerability, the patch provided does fix it.
Microsoft has a four-tiered system for rating security issues. Under the system, only vulnerabilities that could be exploited to allow malicious Internet worms to spread without user action are rated critical. Issues that are rated important could still expose user data or threaten system resources. Vulnerabilities rated moderate are hard to exploit because of factors such as default configuration or auditing, or difficulty of exploitation.