Microsoft has released two security bulletins warning of security holes in its Web server software and in Windows Media Services affecting various versions of the Windows operating system.
The vendor released a cumulative patch for its IIS (Internet Information Services or Internet Information Server) Web server software, a component of Windows NT 4.0, Window 2000 and Windows XP. The patch includes earlier patches for the Web server as well as four new fixes, Microsoft said in Bulletin MS03-018. The bulletin and patch can be found at http://www.microsoft.com/technet/security/bulletin/MS03-018.asp.
The IIS flaws newly patched in bulletin MS03-018 have various severity ratings. Most serious, according to Microsoft, is a denial of service vulnerability that could allow an attacker to cause IIS versions 5.0 and 5.1 to fail. The cumulative patch is for IIS versions 4.0, 5.0 and 5.1 and is rated "important" by Microsoft.
The second bulletin addresses a flaw in Windows Media Services, software for streaming media over a network. It affects Windows NT 4.0 and Windows 2000. The flaw involves the way the software handles incoming requests. Exploiting that flaw could cause IIS on the affected system to stop handling Internet requests, Microsoft said in Bulletin MS03-019. The bulletin and patch can be found at http://www.microsoft.com/technet/security/bulletin/MS03-019.asp.
Windows Media Services is included with Windows 2000 but not installed by default. It is a downloadable option on Windows NT 4.0, Microsoft said. This flaw is rated "moderate" by Microsoft.
Microsoft has a four-tiered system for rating security issues. Under the system, only vulnerabilities that could be exploited to allow malicious Internet worms to spread without user action are rated critical. Issues that are rated important could still expose user data or threaten system resources. Vulnerabilities rated moderate are hard to exploit because of factors such as default configuration or auditing, or difficulty of exploitation.