Last Week, the Microsoft Security Response Center released a blog postwarning that they had pulled the MS10-25 security update because essentially, it didn’t work.
MS10-25 was supposed to fix a critical buffer overflow vulnerability in Windows Media Servers; the on-demand streaming services that ships with Windows 2000. By sending a specially crafted packet to your Windows 2000 Media Server, an attacker could exploit this vulnerability to gain complete control of the machine. Of course, this flaw only affects Windows 2000 servers, and you have to specifically enable the Windows Media Services.
According to Microsoft’s blog post, the update they released a few Tuesdays ago, “does not address the underlying issue effectively.” On a positive note, Microsoft is not aware of anyone actively exploiting this flaw in the wild. That could change though. Now that the bad guys know that Microsoft’s fix is broken, they could put more effort into reverse engineering the original update to find the underlying vulnerability.
Microsoft does say they plan on re-releasing this update, probably sometime this week. Until they do, you should check out the Workarounds section of their security bulletin to see how to mitigate the risk of this now unpatched issue.
Leave a Reply