Microsoft Severity Rating: Critical Affected Software: Windows 2000 Summary: A new vulnerability in Microsoft Internet Information Server/5.0 (included with all versions of Windows 2000) can be exploited by an attacker to remotely gain privleged access to the affected system. All adminstrators and end-users who are running Windows 2000 systems should check to see if they are vulnerable and apply the patch which is available from Microsoft. Please note that Windows 2000 Server ships with IIS enabled by default, even if the system is not used as a web server. It can also be enabled on Windows 2000 Professional. For those systems, the best course of action is to disable IIS completely. If you need to run IIS please consider using the "IIS Lockdown Tool" which configures IIS to run in a more secure configuration from the default. Systems which have previously disabled the "WebDAV" feature using this tool are not vulnerable to this latest bug. IIS Lockdown Tool: http://www.microsoft.com/downloads/release.asp?ReleaseID=43955 For more information, please see the Microsoft advisory: http://www.microsoft.com/technet/security/bulletin/ms03-007.asp Also, CERT has an advisory here: http://www.cert.org/advisories/CA-2003-09.html -- Chris Russel Manager, CNS Information Security York University, Toronto, Canada [log in to unmask]