A new buffer overflow problem in the Internet Information Server (IIS) 5.0 WebDAV running on Windows 2000 has been identified. It is a very serious problem in that it can allow a remote attacker to run rogue code with system-level privileges. (Please note that WebDAV is installed by default in Windows 2000 Server, but not Windows 2000 Professional or Windows XP.) Exploit code appears to already have been developed, making promptly dealing with this vulnerability exceptionally important.

If your IIS server is already running URLScan (highly advisable, since it protects your Web server from all kinds of malformed and excessive input), your server is not vulnerable. Nevertheless, it’s a good idea to install the patch, described in Microsoft Bulletin MS03-007.

If your server is not running URLScan, you'll need to install the Microsoft patch at a minimum, but please also strongly consider downloading URLScan and then installing it right away.