From secnotif@MICROSOFT.COM Sun Mar 19 00:39:14 2000 From: Microsoft Product Security Resent-From: mea culpa To: MICROSOFT_SECURITY@ANNOUNCE.MICROSOFT.COM Resent-To: jericho@attrition.org Date: Fri, 17 Mar 2000 16:25:05 -0800 Subject: Microsoft Security Bulletin (MS00-016) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-016) - -------------------------------------- Patch Available for "Malformed Media License Request" Vulnerability Originally Posted: March 17, 2000 Summary ======= Microsoft has released a patch that eliminates a denial of service vulnerability in Microsoft(r) Windows Media(tm) License Manager. The vulnerability could allow a malicious user to temporarily prevent the license server from issuing further licenses to customers for protected digital content (music and video). Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/technet/security/bulletin/fq00-016.asp. Issue ===== Windows Media License Manager is part of Windows Media Rights Manager, a component of Windows Media Technologies that enables content providers to distribute copyrighted digital media in encrypted form. When Windows Media Player opens protected digital media, it contacts the provider's server, presents the user's license request information, and obtains a license that allows it to play the media. However, a specially-malformed license request can cause License Manager to halt, thereby preventing legitimate subscribers from obtaining a license for the same or other content hosted at this site. The vulnerability does not in any way compromise the protection provided by the encryption or prevent offline playing of content that the user has already licensed. The server can be put back into normal operation by restarting the License Manager. Affected Software Versions ========================== - Microsoft Windows Media Technologies 4.1 and 4.0. Patch Availability ================== - http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19171 NOTE: Additional security patches are available at the Microsoft Download Center More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS00-016: Frequently Asked Questions, http://www.microsoft.com/technet/security/bulletin/fq00-016.asp. - Microsoft Knowledge Base (KB) article Q257200, Windows Media Server Rights Manager May Stop Serving Licenses, http://www.microsoft.com/technet/support/kb.asp?ID=257200. - Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp. Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp Acknowledgments =============== Microsoft thanks Ranjiv Sharma for reporting this issue to us and working with us to protect customers. Revisions ========= - March 17, 2000: Bulletin Created. (c) 2000 Microsoft Corporation. All rights reserved. Terms of use. -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQEVAwUBONLM3o0ZSRQxA/UrAQH0lwf9F4+YVQchvVeqVRbAnJV6svRqtw/JsXml 65OjXXTBzDXB4GjCHg5nEcF00H53BI3f5G1bYHxul+yHuWnnY5LHomDiGHbNdSqf HSTGB/Ypu2LjYLk3Y30bzO5HRQQo8icnbQH3tXMjA4vEHfnDzpQJbFy4Yb3Sg6yY R72RHlHagIojGGkAnaKRuQnXVarxPW432XzdzUTDZfWmKmPgLtORJnFvKlrDhbYh aRcpF9eLACQl8tX09VnxEM+1zCkLRJZlv4E9BmOvhv0MHmNnOTVxr/+kLVLruoyf jltYfrQUmpTIJNc0Q93UfRvbA3iu/pPPh1HR2PlJJ2rA65srms86QQ== =R+b4 -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.