Microsoft Security Bulletin MS01-023
Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
Originally posted: May 01, 2001
Updated: June 23, 2003
Who should read this bulletin:
All web server administrators using Microsoft® Windows® 2000
Impact of vulnerability:
Run code of attacker's choice in system context.
Microsoft strongly urges all IIS 5.0 server administrators to install the patch immediately.
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
Note: The vulnerability is only exposed if IIS 5.0 is running.
- Microsoft Knowledge Base article Q296576 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (May 01, 2001): Bulletin Created.
- V1.1 (May 03, 2001): Bulletin updated to note that Windows 2000 Professional is affected, and to note that group policy settings for Internet printing, if configured, would override those made via the Internet Services Manager.
- V1.2 (May 09, 2001): FAQ updated to note that applying ISM changes to child folders on an Exchange 2000 machine could disable OWA.
- V1.3 (May 14, 2001): Bulletin and FAQ updated to strengthen recommendation that Group Policy, rather than the ISM, be used to disable Internet Printing.
- V1.4 (June 23, 2003): Updated Windows Update download links.