A flaw in Windows Media Services for Windows 2000 Server could allow an attacker to release a malicious program onto a server running the software. Another flaw threatens to reveal the music library data on any PC running Windows Media Player 9.
The first flaw, which the software giant ranked "important,", is due to a memory problem known as a "buffer overflow." Intruders can often exploit such flaws to crash computers or run malicious code.
The threat is somewhat lessened by the fact that Windows Media Services is not installed by default. An administrator has to request that it be installed, Microsoft said in its advisory. Windows 2000 Server, Datacenter Server and Advanced Server could be affected by this flaw.
The second flaw affects any system with Microsoft's Windows Media Player 9 installed. An attacker could invoke an ActiveX control the software uses to access library data on the PC. The security hole could, at worst, constitute a privacy threat, as it only allows an outsider to read information in the attacked media library. Microsoft's advisory ranks the threat as "moderate," the second lowest of its four rankings.
The fixes come as the software maker is struggling to determine the threat posed bythis weekend. Microsoft is still investigating that problem.