Severity rating


Discovered date

Attack vector

Authentication required

Public exploits available

Signature detection

On this page


Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions. This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension - nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS. There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system.


This vulnerability could enable an attacker to execute code of his or her choice on a computer running IIS with Windows Media Services installed. The code would execute in the context of the account under which IIS was running, which could allow the attacker to take any action on the system.

Technical details (analysis)

NSIISlog.dll is an IIS ISAPI extension that is included with Windows 2000 Server. It provides logging capabilities for Media Streaming in Microsoft Windows Media Services. It is installed and used automatically whenever Windows Media Services are installed on a computer. Internet Information Service 5.0 is included with Windows 2000 Datacenter Server, Advanced Server, Server and Professional. An attacker could exploit this vulnerability by constructing a specific network request and sending it to the server running Windows Media Services. The attacker would have to know which server on the network or Internet had Windows Media Services installed in order to cause the server to stop responding to IIS requests or cause code to execute in the server.

Affected software

Microsoft Windows 2000

Non-affected software

Windows NT 4.0
Microsoft Windows XP
Microsoft Windows Server 2003



NIS signature

Name: Policy:Win/HTTP.NSIISLOG.RCE!CAN-2003-0349
Release Date: 2003-06-25T00:00:00

Known false positives

This signature can cause false positives if you are not running any of the affected software versions or if you've already applied the patch.


There are no known work arounds.