MS03-022: Vulnerability in ISAPI extension for Windows Media Services may cause code execution

This article has been archived. It is offered "as is" and will no longer be updated.

Technical update

  • March 9, 2004: The "Installation Information" section was updated to indicate the switches that are available for the re-released security update. After this update was released, Microsoft was made aware that, under certain circumstances, the original update that this bulletin provided did not replace the vulnerable file on the hard disk drive. These circumstances involved whether Windows Media Services was removed before the update was applied. Microsoft has addressed this issue and is re-releasing the update on Windows Update and in the Microsoft Download Center.
  • March 9, 2004: The "Installation Information" section was updated.
  • March 9, 2004: The "File Information" section was updated.
  • June 26, 2003: The "Prerequisites" section was updated to indicate the patch can be installed on Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, or Windows 2000 Service Pack 4.
  • June 26, 2003: The "File Information" section was updated.
Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, and Microsoft Windows 2000 Datacenter Server, and Windows Media Services is also available in a downloadable version for Microsoft Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network that is known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content that is coming from the server.

To make logging of client information for the server easier, Windows 2000 includes a capability that is specifically designed to enable logging for multicast transmissions. This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension named Nsiislog.dll. When Windows Media Services are added to Windows 2000 through the Add/Remove Programs utility, Nsiislog.dll is installed in the Internet Information Services (IIS) Scripts folder on the server. After Windows Media Services is installed, Nsiislog.dll is automatically loaded and used by IIS.

A flaw exists in the way Nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker can send specially formed HTTP requests (that is, communications) to the server, and these HTTP requests can cause IIS to fail or to execute code on the user's system.

By default, Windows Media Services is not installed on Windows 2000. An attacker who tries to exploit this vulnerability must know the computers on the network that have Windows Media Services installed and must send a specific request to that server.

Windows Media Services are not available for Windows 2000 Professional.

Security update information

Download information

The following file is available for download from the Microsoft Download Center:
Release Date: June 25, 2003

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.


This security update requires Windows 2000 Service Pack 2 (SP2), Windows 2000 Service Pack 3 (SP3), or Windows 2000 Service Pack 4 (SP4). For more information about Windows 2000 service packs, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Note Microsoft Windows Media Services 4.1 is included with Windows 2000 Server Service Pack 2 (SP2) and later.

Installation information

This security update supports the following Setup switches:
  • /help : Displays the command line options.
  • /quiet : Use Quiet mode (no user interaction or display).
  • /passive : Unattended mode (progress bar only).
  • /uninstall : Uninstalls the package.
  • /norestart : Do not restart when installation has completed.
  • /forcerestart : Restart when installation has completed.
  • /l : List the installed hotfixes or software updates.
  • /o : Overwrite OEM files without prompting.
  • /n : Do not back up files that are required for uninstall.
  • /f : Force other programs to close when the computer shuts down.
To verify that the security update is installed on your computer, confirm that the following registry key exists:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Services\wm822343

Deployment Information

To install the security update without any user intervention, type the following command at a command prompt:
WindowsMedia41-KB822343-ENU /quiet
For additional information about how to deploy this security update by using Microsoft Software Update Services, visit the following Microsoft Web site:

Restart requirement

You do not have to restart your computer after you apply this security update.

Removal information

You cannot remove this security update because the Setup technology does not allow for removal and because Windows 2000 does not have a system-level rollback feature.

Security update replacement information

This security update replaces the 817772 security update. For more information about this security update, click the following article number to view the article in the Microsoft Knowledge Base:
817772 MS03-019: Flaw in ISAPI extension for Windows Media Services could cause denial of service

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version     Size     File name   -----------------------------------------------------   02-Mar-2004  00:26               24,576  Custdll.dll   29-May-2003  21:25   16,784  Nsiislog.dll   03-Jun-2003  15:47  6.0.2600.0  143,872  Nsisapi.exe
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies to" section.
More information
For more information about this vulnerability, visit the following Microsoft Web site:
security_patch uninstall SUS patch

Article ID: 822343 - Last Review: 10/25/2013 21:55:00 - Revision: 8.0

Microsoft Windows Media Services 4.1

  • kbnosurvey kbarchive kbwin2000presp5fix kbsecvulnerability kbsecurity kbsecbulletin kbqfe kbfix kbbug KB822343