Military Investigates System Intrusion Involving Windows 2000 Security Flaw

Computerworld - Pentagon sources last week confirmed that officials are investigating an apparent intrusion into at least one military server through a previously unknown vulnerability in Microsoft Corp.'s Windows 2000 operating system.

Microsoft gave the buffer overflow vulnerability a "critical" severity rating and issued a software patch designed to fix the flaw, which involves a component of Windows 2000 that's used to manage the Web Distributed Authoring and Versioning (WebDAV) protocol. Hackers could use the hole to take control of unprotected Web servers, and Microsoft said it has received isolated reports of attempts to exploit the vulnerability.

The initial attack reports centered around a U.S. Army Web server. But after an investigation, the Army said it had no evidence that any of its systems had been compromised.

"To the best of our knowledge, an Army system was not attacked," said Col. Ted Dmuchowski, director of information assurance at the Army's Network Technology Enterprise Command. "According to our records, the military sites that were attacked did not belong to the Army."

Nonetheless, Dmuchowski said in a statement that IT staffers "have taken measures to push the appropriate patch down to all Army networks."

Security analysts described the reported attack as a rare example of a "zero-day" exploit, in which hackers try to take advantage of a software vulnerability that has yet to be reported and for which there is no available patch.

Jeffrey Jones, senior director of marketing for Microsoft's Trustworthy Computing security initiative, said company officials were told about the vulnerability on March 12 by two customers who reported that they were being actively attacked. Jones declined to disclose further information about the users.

Microsoft typically issues security bulletins on Wednesdays, but Jones said it decided to post the WebDAV warning on its Web site last Monday because of the reports of active attacks.

The company also specified work-arounds for users who may not be able to apply the fix right away.

"We're trying to put an extra emphasis on alternative ways to protect yourself," he said.

Indeed, Microsoft acknowledged that the patch itself could cause problems for some users of Windows 2000 and its Service Pack 2 bug-fix update. After issuing the patch, the company said that it's incompatible with a dozen other fixes developed for the operating system from December 2001 to February 2002.

Incompatibilities

The incompatibilities may leave IT managers unable to reboot their systems after they install the new patch, according to Microsoft. Users with certain versions of a file called ntoskrnl.exe on their Windows 2000 systems should call Microsoft's product support services unit before they apply the patch, Microsoft said.