Reported June 25, 2003, by Microsoft.

 

VERSIONS AFFECTED

 

  • Windows 2000

 

DESCRIPTION

 

A new vulnerability in Windows 2000 can result in the execution of arbitrary code on the vulnerable computer. This vulnerability stems from a flaw in the way the ISAPI extension "nsiislog.dll" processes incoming client requests. To exploit this vulnerability, an attacker could send a specially formed HTTP request to the server that could cause Microsoft IIS to fail or execute code on the user's system.

 

VENDOR RESPONSE

 

Microsoft has released Security Bulletin MS03-022, "Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343)," to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.

 

CREDIT

Discovered by Brett Moore.