Vulnerability Note VU#395588

Microsoft Internet Information Services vulnerable to remote code execution via specially crafted ASP file

Original Release date: 11 Jul 2006 | Last revised: 19 Jul 2006


Microsoft Internet Information Services (IIS) contains a buffer overflow vulnerability. This may allow a remote, authenticated attacker to execute arbitrary code on a vulnerable system.



IIS is a web server that comes with Microsoft Windows.


ASP (Active Server Pages) is a technology for creating dynamic web sites. IIS includes the ability to serve ASP content.

The problem

IIS contains a buffer overflow in the handling of specially crafted ASP pages.


A remote, authenticated attacker may be able to run arbitrary code on a vulnerable system. This code would run with the privileges of IWAM_<machinename> on a system with IIS 5.0 and 5.1, and it would run with NetworkService privileges on a system with IIS 6.0.


Apply an update
This vulnerability is addressed by the updates provided by MS06-034.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-11 Jul 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Microsoft for reporting this vulnerability, who in turn credit Brett Moore of

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2006-0026
  • Date Public: 11 Jul 2006
  • Date First Published: 11 Jul 2006
  • Date Last Updated: 19 Jul 2006
  • Severity Metric: 19.42
  • Document Revision: 5


If you have feedback, comments, or additional information about this vulnerability, please send us email.