Summary
There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user's system.
Solution
Microsoft has released a patch to correct these issues Download locations for this patch
Microsoft Windows 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F772E131-BBC9-4B34-9E78-F71D9742FED8&displaylang=en
Note: This patch can be installed on systems running Microsoft Windows 2000 Service Pack 2, Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4. This patch has been superseded by the one provided in Microsoft Security Bulletin MS03-019. http://www.microsoft.com/technet/security/bulletin/MS03-019.mspx
Severity
Classification
-
CVE CVE-2003-0349 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Microsoft Internet Explorer Memory Corruption Vulnerability (2755801)
- Internet Explorer Vector Markup Language Remote Code Execution Vulnerability (2544521)
- Microsoft Excel Remote Code Execution Vulnerabilities (968557)
- Microsoft Embedded OpenType Font Engine Remote Code Execution Vulnerabilities (961371))
- Microsoft DirectShow Remote Code Execution Vulnerability (961373)