IIS .printer overflow
An attack was detected against the Microsoft .printer ISAPI filter.
The "msw3prt.dll" is an extension installed by default on Microsoft IIS 5.0 (the web-server included with Windows 2000 servers). This ISAPI extension provides support for the Internet Printing Protocol (IPP) standard.
A buffer-overflow bug was discovered in this extension.
All versions of Microsoft IIS and PWS software, including the following patches: Windows 2000 PS2, Windows NT SP5
The .printer extension cannot be disabled. Therefore, the only defense is to patch the server.
Two conditions must be true for this alert to trigger. First, the file extension must be ".printer"; secondly, a long HTTP "Host:" field must be included. The HTTP field with binary alert will also trigger for some known exploits.
Previous versions of the sensor triggered just on the HTTP HOST: field overflow. This signature was added to more clearly identify the attack.
Version appeared: 2.5