Microsoft patches two media flaws

Microsoft released fixes on Wednesday for security risks that could make Windows 2000 Server and Windows Media Player 9 vulnerable to attack.

A flaw in Windows Media Services for Windows 2000 Server could allow an attacker to release a malicious program onto a server running the software. Another flaw threatens to reveal the music library data on any PC running Windows Media Player 9.

The first flaw, which the software giant ranked "important," its second highest of four ratings, is due to a memory problem known as a "buffer overflow." Intruders can often exploit such flaws to crash computers or run malicious code.

The threat is somewhat lessened by the fact that Windows Media Services is not installed by default. An administrator has to request that it be installed, Microsoft said in its advisory. Windows 2000 Server, Datacenter Server and Advanced Server could be affected by this flaw.

The second flaw affects any system with Microsoft's Windows Media Player 9 installed. An attacker could invoke an ActiveX control the software uses to access library data on the PC. The security hole could, at worst, constitute a privacy threat, as it only allows an outsider to read information in the attacked media library. Microsoft's advisory ranks the threat as "moderate," the second lowest of its four rankings.

The fixes come as the software maker is struggling to determine the threat posed by a security flaw in Internet Explorer that was highlighted in a public forum this weekend. Microsoft is still investigating that problem.