Security Bulletin

Microsoft Security Bulletin MS00-038 - Important

Patch Available for 'Malformed Windows Media Encoder Request' Vulnerability

Published: May 30, 2000 | Updated: May 18, 2003

Version: 2.0

Originally posted: May 30, 2000 Updated: May 18, 2003


Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows® Media Encoder, which ships as a component of the Windows Media Technologies. The vulnerability could allow a malicious user to interfere with a digital content provider's ability to supply real-time audio and video broadcasts.

On June 20, 2000, Microsoft re-released this patch to fix a regression that was introduced by the original patch. Microsoft recommends that all customers who applied the original patch apply new the version; it is not necessary to "back out" the original patch before applying the new version.

Affected Software:

  • Microsoft Windows Media Encoder 4.0
  • Microsoft Windows Media Encoder 4.1

Vulnerability Identifier: CVE-2000-0495

General Information

Technical details

Technical description:

Windows Media Encoder a component of the Windows Media Tools, which are part of the Windows Media Technologies. Windows Media Encoder is used to convert digital content into Windows Media Format for distribution by Windows Media Services in Windows NT and Windows 2000 Server. If a request with a particular malformation were sent to an affected encoder, it could cause it to fail, thereby denying formatted content to the Windows Media Server.

This vulnerability would primarily affect streaming media providers that supply real-time broadcasts of streaming media - it would not prevent a Windows Media Server from distributing already-encoded data. The vulnerability cannot be used to cause a machine to crash, nor can it be used to usurp any administrative privileges. Simply locating the server could be a challenge, because the IP address of the Windows Media Encoder would typically not be advertised.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-038 announces the availability of a patch that eliminates a vulnerability in a component of Microsoft® Windows® Media Technologies. The vulnerability could allow a malicious user to interfere with broadcasts of digital audio and video. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This is a denial of service vulnerability. A malicious user could use it to prevent a streaming media provider from preparing digital content such as audio and video for transmission. The vulnerability would not prevent a streaming media provider from serving previously-prepared content, but it could prevent it from preparing new content. This could be particularly important to providers who broadcast audio or video in real time. The affected service could be put back into service by restarting it; it would not be necessary to restart the server. Also, locating the server could require that the malicious user already have an unusual degree of access to the network.

What causes the vulnerability?
The vulnerability results because a component of the Windows Media Tools - the Windows Media Encoder - does not correctly handle a particular type of malformed request. Receiving such a request could cause the Encoder to fail.

What are the Windows Media Tools?
They're part of the Windows Media Technologies (WMT). WMT is a broad array of technologies for creating and distributing streaming audio and video, music, webcasts, and other digital media. Windows Media Tools is a toolset that enables streaming media providers to create the content they'll distribute via Windows Media Services in Windows NT 4.0 and Windows 2000 Server.

What's Windows Media Encoder?
Windows Media Encoder is a component of the Windows Media Tools. It's used to convert, or encode, audio or video into a format that can be distributed via the Windows Media Server. It's most commonly used to encode live audio or video for real-time broadcast, but it also can be used to encode video or audio into a Windows Media file for distribution and playback at a later time. The Windows Media Encoder generally resides on a separate server from the Windows Media Server. It sits upstream of the media server, preparing streamable data. It forwards the data to the media server, which handles the actual broadcast and distribution of the content.

What would the vulnerability allow a malicious user to do?
If a malicious user sent a request with a particular malformation to an affected encoder, it could cause the encoder to fail. This would not cause the server to crash, and the encoder could be put back into service simply by restarting it.

Why would the malformed request cause the encoder to fail?
The request causes the encoder to request more memory than exists on the server.

What effect would an attack via this vulnerability have on the Windows Media Server?
It wouldn't have any direct effect on the Windows Media Server. The vulnerability doesn't affect the Windows Media Server, and wouldn't allow the malicious user to cause it to fail. However, by causing the encoder to fail, the malicious user could deny digital content to the media server. The effect of such an attack would depend on the type of digital media that's being distributed. If the media server primarily provides static files - that is, files of pre-existing audio or video that customers can download and play - an attack might not be noticeable to end users. However, if the media server provides real-time broadcasts, such as live audio or video, the loss of the encoder would cause the broadcast to fail.

Is it easy to locate the server on which the encoder is running?
No. Although the encoder does typically reside on the Internet, its address isn't usually published, because it typically only communicates with the Windows Media Server. In order to attack an encoder, the malicious user would first need to determine the server's IP address.

Could an affected encoder be put back into service?
Yes. The operator would just need to restart the service. It would not be necessary to reboot the machine.

Could this vulnerability be exploited accidentally?
No. It requires that a very specific type of invalid request be sent to the encoder. No client software would generate this type of request - in fact, as discussed above, clients do not communicate directly with the encoder at all.

What machines are primarily at risk from this vulnerability?
This vulnerability would primarily affect Windows Media Encoder servers that are used to encode digital content for real-time broadcast.

Who should use the patch?
Streaming media providers using one of the affected versions of the Windows Media Encoder, and whose encoder server is not protected by a firewall should apply the patch.

I'm a home user and use Windows Media Player. Does this vulnerability affect me?
No. This vulnerability only affects digital media providers. It does not affect digital media clients.

What does the patch do?
The patch installs a new version of the Windows Media Technologies 4.1 encoder - one that correctly handles the malformed request at issue here. It's suitable for use by customers using either Windows Media Technologies 4.0 or 4.1.

How do I use the patch?
Knowledge Base article Q246133 contains detailed instructions for applying the patch to your site

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .

How can I tell if I installed the patch correctly?
Knowledge Base article Q246133 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article

What is Microsoft doing about this issue?

  • Microsoft has developed a procedure that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

Please see the following reference for more information related to this issue.

Other information:


Microsoft thanks Kit Knox for reporting this issue to us and working with us to protect customers.

Support: This is a fully supported patch. Information on contacting Microsoft Technical Support is available at

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.


The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • May 30, 2000: Bulletin Created.
  • June 20, 2000: Bulletin revised to reflect updated patch.
  • V2.0 (May 18, 2003): Introduced versioning and updated links to additional information.

Built at 2014-04-18T13:49:36Z-07:00