Microsoft IIS 5.0 Vulnerability

Information Note Number: IN01-001
3 May 2001

Purpose

On May 1, 2001, Microsoft issued Security Bulletin MS01-23 warning of a vulnerability recently uncovered in Microsoft IIS 5.0 running on Windows 2000. Exploitation of this vulnerability allows a remote intruder to run arbitrary code on the victim's machine, allowing them to gain complete administrative control. A proof-of-concept exploit is publicly available for this vulnerability which increases the urgency that system administrators apply a patch.

Full details and a patch can be found at a number of sites including Microsoft's and Cert.org.

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca