IDG News Service - Microsoft Corp. said today that it has discovered a critical security vulnerability in a component of its Windows 2000 operating system that could enable a remote attacker to gain total control of a machine running Windows 2000 and Microsoft's Internet Information Server (IIS) Web server.
The company has also received isolated reports of attacks that exploit the new vulnerability, according to a spokesman.
An unchecked buffer in a Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol could allow an attacker to cause a buffer overflow on a machine running IIS, according to Microsoft security bulletin MS03-007.
WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.
Attackers could mount a denial-of-service attack against such machines or execute their own malicious code in the security context of the IIS service, gaining unfettered access to the vulnerable system, Microsoft said.
Attacks could come in the form of malformed WebDAV requests to a machine running IIS Version 5.0. Because WebDAV requests typically use the same port as other Web traffic (Port 80), attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability, Microsoft said.
Machines running the Windows NT and XP operating systems are not vulnerable, according to Microsoft.
Microsoft provided a patch for the WebDAV vulnerability and recommended that customers using IIS Version 5.0 on Windows 2000 apply that patch at the earliest possible opportunity.
Because of reports of active attacks exploiting the WebDAV vulnerability, an updated version of Microsoft's IIS Lockdown Tool was also released for organizations that are unable to immediately install the patch or that do not need to run IIS. The Lockdown Tool turns off unnecessary features of IIS, reducing the openings available to attackers, Microsoft said.
Other utilities were provided for organizations that require the use of IIS but can't apply the patch or deploy the Lockdown Tool.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
