Microsoft IIS hole gives System-level access
Strong words from the official voice of Redmond today, urging admins to patch a recently-discovered buffer overflow vulnerability in servers running IIS 5.0 on Windows 2000 Server, Windows 2000 Advanced Server and Windows 2000 Datacenter Server, make it clear how serious a security problem Microsoft has on its hands.
"Microsoft strongly urges all IIS 5.0 server administrators to install the patch immediately," a company security bulletin says.
The vulnerability was discovered less than a fortnight ago by engineers from eEye Digital Security, while upgrading a security scanner it makes called Retina.
Once upgraded to audit the .printer ISAPI (Internet Server Application Programming Interface) filter (C:WINNTSystem32msw3prt.dll), which enables Web-based control of networked printers, the Retina implementation reported a buffer overflow which eEye soon found to be exploitable.