Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> IIS 5.0 on Win2K from InfoWeek

IIS 5.0 on Win2K from InfoWeek

From: <>
Date: Wed, 02 May 2001 10:47:44 -0700
Message-ID: <>

Microsoft is warning that an "extremely serious" flaw in Windows 2000 could enable a cracker to control any system running Internet Information Services (IIS) 5.0 software that ships with the operating system. Earlier versions are not affected.

"Upgrade the patch before you read the bulletin [ ]," warns Scott Culp, a Microsoft security program manager. Culp says an unchecked buffer in the services that support Internet printing capabilities causes the vulnerability. He adds that users who turn off the printing services are not vulnerable.

The extent of the vulnerability is severe. "There is virtually nothing a malicious hacker couldn't do to an exploited system," Culp says. Microsoft says it has distributed information about the vulnerability and started contacting certain customers before the company released the patch at 1 p.m. EDT Tuesday. A security software firm, eEye Digital Security, notified Microsoft of the vulnerability 10 days earlier.

Gartner analyst John Pescatore says a large portion of Windows 2000 users probably have not turned off the affected services and should either do so or install the patch immediately. Pescatore says Microsoft made a critical error. "IIS has been a cancer on Windows 2000," he says. "Including that code in the Windows 2000 base vs. it being a separate application was a huge mistake." - George V. Hulme

For related stories, see:
Windows 2000 Security Represents A Quantum Leap

Security: The Enemy Within

Microsoft Warns of Spoofed Certificates

Please see the official ORACLE-L FAQ:


Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message to: (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Wed May 02 2001 - 12:47:44 CDT

Original text of this message