Microsoft Severity Rating: Critical
Affected Software: Windows 2000
Summary: A new vulnerability in Microsoft Internet Information Server/5.0
(included with all versions of Windows 2000) can be exploited by an
attacker to remotely gain privleged access to the affected system. All
adminstrators and end-users who are running Windows 2000 systems should
check to see if they are vulnerable and apply the patch which is available
from Microsoft.
Please note that Windows 2000 Server ships with IIS enabled by default,
even if the system is not used as a web server. It can also be enabled on
Windows 2000 Professional. For those systems, the best course of action is
to disable IIS completely.
If you need to run IIS please consider using the "IIS Lockdown Tool"
which configures IIS to run in a more secure configuration from the
default. Systems which have previously disabled the "WebDAV" feature
using this tool are not vulnerable to this latest bug.
IIS Lockdown Tool:
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
For more information, please see the Microsoft advisory:
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
Also, CERT has an advisory here:
http://www.cert.org/advisories/CA-2003-09.html
--
Chris Russel
Manager, CNS Information Security
York University, Toronto, Canada
[log in to unmask]