Microsoft is re-releasing a security bulletin impacting Windows 2000 Server that it issued this month as part of Patch Tuesday. According to Microsoft, the bulletin does not effectively fix the underlying vulnerability.
Microsoft has pulled support for a Patch Tuesday update that fails
to properly fix a critical vulnerability on Windows 2000 Server.
The company issued MS10-025 earlier this month as part of an 11-bulletin security update for customers.
The bulletin was supposed to fix an issue affecting customers running
Windows 2000 Server Service Pack 4 who installed Windows Media
Services, a Microsoft platform for streaming live or on-demand audio
According to Microsoft, a remote code execution vulnerability exists
due to the way Windows Media Unicast Service handles specially-crafted
transport information packets. So far, Microsoft has not observed any
attacks on the vulnerability, and Windows Media Services is not enabled
by default on Windows 2000 Server.
"Customers should review the bulletin for mitigations and
workarounds and those with Internet-facing systems with Windows Media
Services installed should evaluate and use firewall best practices to
limit their overall exposure," blogged Jerry Bryant
group manager for Microsoft Security Response Center communications.
"We will continue to share updates here on the blog as available."
As a workaround, users can disable the Windows Media Unicast Service
or uninstall Windows Media Services. Instructions on how to do that are
contained here within the advisory