Vulnerabilities exist in two Windows Media products that can allow an attacker to take over a media server or view a user's media library, Microsoft Corp. warned Wednesday.
The server flaw creates a vulnerability in Windows 2000 server systems with Windows Media Services installed. An unchecked buffer in a component that provides logging services for streaming media makes the system vulnerable to attacks, Microsoft said in Security Bulletin MS03-022. (http://www.microsoft.com/technet/security/bulletin/MS03-022.asp)
Windows Media Services is an add-on to Windows 2000 that provides streaming audio and video services for use over corporate networks and the Internet. Microsoft rates this issue "important" and urges users to apply the patch released with the bulletin at the earliest available opportunity.
In a second Security Bulletin released Wednesday Microsoft warns of an information disclosure flaw in Windows Media Player 9 Series, the company's latest media player software. An attacker could get information on the media files a user stores on a PC. Microsoft deems this issue of "moderate" risk.
The flaw lies in a component called an ActiveX control that is meant to allow Web page designers to embed a media player into a Web page. The control does not properly validate access to the information on the user's PC, Microsoft said in security bulletin MS03-021. (http://www.microsoft.com/technet/security/bulletin/MS03-021.asp)
Microsoft has a four-tiered system for rating security issues. Vulnerabilities that could be exploited to allow malicious Internet worms to spread without user action are rated critical. Issues that are rated important could still expose user data or threaten system resources. Vulnerabilities rated moderate are hard to exploit because of factors such as default configuration or auditing, or difficulty of exploitation.