Microsoft issued a "critical" rating on the flaw and issued a patch while warning that the vulnerability may allow a remote attacker to run arbitrary code on an infected machine.
"An exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply a patch," the Center warned. IIS 5.0 is installed and running by default on Microsoft Windows 2000 server products.
WebDAV uses IIS to pass requests to and from Windows 2000. Microsoft explained that when IIS receives a WebDAV request, it typically processes the request and then acts on it. However, if the request is formed in a particular way, a buffer overrun can result because one of the Windows components called by WebDAV does not correctly check parameters.