Microsoft Security Bulletin (MS00-016): Frequently Asked Questions

What's this bulletin about?
Microsoft Security Bulletin MS00-016 announces the availability of a patch that eliminates a vulnerability in the Microsoft® Windows Media™ Rights Manager (sub component Windows Media License Manager). The vulnerability could allow a malicious user to temporarily prevent the license server from issuing further licenses to customers for protected digital content (music and video). Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user who created a specially-malformed request to a digital content provider's server could cause it to be unable to validate future Windows Media license requests. This would prevent future legitimate customers from obtaining a license to play protected digital media content.
It is important to note that the vulnerability does not compromise the protection of the digital content or prevent offline playing of content that the user has already licensed. Although the malicious user could prevent further legitimate users from obtaining a license to play their digital media content, it would not allow him to play any content that he did not have a license for.

What causes the vulnerability?
The vulnerability results because the Windows Media License Manager does not correctly handle certain types of specially-malformed license requests. These requests can cause the License Manager service to become unresponsive to future license requests until it is restarted.

What is Windows Media License Manager?
It's easiest to explain if we start with a description of Windows Media Technology (WMT). WMT is a broad array of technologies for creating and distributing streaming audio and video, music, webcasts, and other digital media. Some types of digital media - music and video, for instance - can be copyrighted, and must be protected against piracy. A component of WMT called Windows Media Rights Manager enables content providers to do this.
Windows Media Rights Manager consists of two components: the Windows Media Rights Packager, which lets content providers package digital media in an encrypted form, and Windows Media License Manager, which lets legitimate customers open the encrypted package and play the media. When a customer subscribes with a digital media provider, the provider grants him a license to play the media. When the customer downloads the media and plays it, the media player, as required by the copyrights on the content, contacts the Windows Media License Manager at the provider's site, presents the customer's license information, and receives a decryption key. The media player can then play the media.

How would the malicious user cause the denial of service?
A particular type of malformed license request can cause the Windows Media License Manager service to become unresponsive, thereby preventing it from responding to any license requests. As soon as the provider restarted the service, legitimate customers could resume normal use of their digital media.

Would legitimate customers need to download their digital media again?
No. The music, video, or other digital media that the customer downloaded from the provider is not damaged in any way by the attack. The customer is simply unable to obtain a decryption key to play it until the Windows Media License Manager is put back into service.

Could the malicious user exploit this vulnerability to steal digital media?
No. The vulnerability doesn't enable the malicious user to obtain a decryption key, so he would not be able to steal digital media under any circumstances. It would only allow him to deny legitimate users the ability to obtain a license to use the protected content. If the user has already acquired, the user would not be affected by this issue.

Could this vulnerability be exploited accidentally?
No. The malicious user would need to write a program that would send the specially-malformed license request to the provider's Windows Media License Manager - the malformation at issue here is not generated by any media player.

What would the digital content provider need to do to restore service?
The provider would only need to restart the Windows Media License Manager process. It would not be necessary to reboot the machine hosting the Windows Media License Manager.

Is there any way for a content provider to prevent this attack?
Yes. The easiest way is to install the patch, which eliminates the vulnerability altogether. However, content providers also could prevent this attack by changing how Windows Media License Manager runs on the server.
License Manager is a COM object that runs atop IIS. By default, it runs "in-process"; that is, a single instantiation of the object runs within the IIS process, and services all users. However, it also can be configured to run "out of process", in which case a new instantiation of the License Manager would be spawned for every user. If this were done, the malicious user could cause the instantiation of License Manager that was servicing his request to fail, but all other users' instantiations would continue running. Creating and running multiple instantiations of License Manager does, however, carry a performance penalty.

Who needs to apply the patch?
Digital content providers who use Windows Media Technologies 4.1 and 4.0 to distribute -protected digital media should install the patch. It is not necessary for their customers to take any action - the patch only needs to be installed on the provider's server on which Windows Media License Manager is running.

What does the patch do?
The patch causes Windows Media License Manager to handle the malformed license request correctly. It rejects it but does not halt.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin 

How can I tell if I installed the patch correctly?
Knowledge Base article 257200 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to check that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

Did Microsoft handle this vulnerability differently from others?
Yes. Because this vulnerability disparately affected a small segment of customers, Microsoft provided advance copies of the patch and this bulletin to customers who were most likely to be affected by it.

What is Microsoft doing about this issue?

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Top of page