=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN125
_____________________________________________________________________

DATE                      : 14/04/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 2000 Server running Microsoft Windows Media Services.

======================================================================
KB980858
http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx
______________________________________________________________________

Microsoft Security Bulletin (980858)

Vulnerability in Microsoft Windows Media Services Could Allow Remote Code
Execution

Published: April 13, 2010

Version: 1.0

General Information

Executive Summary

  This security update resolves a privately reported vulnerability in Windows
  Media Services running on Microsoft Windows 2000 Server. The vulnerability
  could allow remote code execution if an attacker sent a specially crafted
  transport information packet to a Microsoft Windows 2000 Server system running
  Windows Media Services. Firewall best practices and standard default firewall
  configurations can help protect networks from attacks that originate from
  outside the enterprise perimeter. Best practices recommend that systems that
  are connected to the Internet have a minimal number of ports exposed. On
  Microsoft Windows 2000 Server, Windows Media Services is an optional component
  and is not installed by default.

  This security update is rated Critical for all supported editions of Microsoft
  Windows 2000 Server.

  The security update addresses the vulnerability by modifying the way that the
  Windows Media Unicast Service (nsum.exe) handles transport info network
  packets.

  Recommendation: The majority of customers have automatic updating enabled and
  will not need to take any action because this security update will be
  downloaded and installed automatically. Customers who have not enabled
  automatic updating need to check for updates and install this update manually.
  For information about specific configuration options in automatic updating,
  see Microsoft Knowledge Base Article 294871.

  For administrators and enterprise installations, or end users who want to
  install this security update manually, Microsoft recommends that customers
  apply the update the update immediately using update management software, or
  by checking for updates using the Microsoft Update service.

Affected Software

  Microsoft Windows 2000 Server Service Pack 4

Mitigating Factors

  Supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows
  Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the
  vulnerability described in this bulletin.

  By default, Windows Media Services is not enabled on Microsoft Windows 2000
  Server. In order for a Microsoft Windows 2000 Server to be vulnerable, the
  server would have to be configured as a streaming media server by adding the
  Windows Media Services component in the Windows Components Wizard.

Workarounds

  Stop and disable Windows Media Unicast Service

  As an Administrator, disable the Windows Media Unicast Service by using the
  following command at the command prompt:

    sc stop nsunicast & sc config nsunicast start= disabled

  Uninstall the Windows Media Services component using Windows Component Wizard

  1.  Log on to the computer as an administrator or a member of the
      Administrators group.
  2.  Click Start, point to Settings, and then click Control Panel.
  3.  In Control Panel, double-click Add/Remove Programs.
  4.  Click Add/Remove Windows Components. The Windows Components Wizard starts
      and the Windows Components screen is displayed.
  5.  Clear the Windows Media Services check box. Click Next and follow the
      instructions in the Windows Component Wizard.

Vulnerability Information

Media Services Stack-based Buffer Overflow Vulnerability - CVE-2010-0478

  A remote code execution vulnerability exists in Microsoft Windows 2000 Server
  Service Pack 4 running the optional Windows Media Services component due to
  the way the Windows Media Unicast Service handles specially crafted transport
  information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows
  Media Services is an optional component and is not installed by default. Only
  Microsoft Windows 2000 Server systems that have enabled Windows Media Services
  are affected by this vulnerability.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================