Microsoft Security Bulletin MS00-025 discusses a procedure that eliminates a vulnerability in Microsoft® Visual Interdev 1.0, affecting customers who use several web server products. A component of Visual Interdev 1.0 that ships with these products could allow a malicious user to cause an affected web server to crash or, under certain conditions, run code of his choice on the server.

What's the scope of the vulnerability?

This is a buffer overrun vulnerability. Microsoft has verified that a malicious user could use this vulnerability to cause a web server to crash, in a denial of service attack. Microsoft is investigating the possibility that the vulnerability would allow a malicious user to run code of his choice on the server as well. When the results of the investigation are known, we will update the bulletin to provide additional information.

Microsoft recommends that customers using an affected web server product delete the component that contains the vulnerability, Dvwssr.dll. Customers who already did so per the original version of this bulletin do not need to take any further action. If Microsoft's ongoing investigation shows that the vulnerability can be used to run arbitrary code as well, customers who have deleted the file will already be protected and will not need to take any further action.

Read more