Microsoft warns on Windows 2000 vulnerability

18 Mar 2003

Microsoft yesterday issued a security bulletin warning of a ‘critical’ vulnerability in Windows 2000. The hole will allow attackers to run code of their choice on affected machines.

The software company advised that systems administrators apply a patch immediately.

The issue lies in an a Windows component known as the WebDAV (World Wide Web Distributed Authoring and Versioning) protocol. WebDAV is a set of extensions to hyper text transfer protocol (HTTP) that provide a standard for editing and file management between computers on the internet. A security vulnerability is present in a Windows component that is used by WebDAV. This vulnerability occurs because the component contains an unchecked buffer.

An attacker may exploit the vulnerability by sending a specially formed HTTP request to a computer running Microsoft Internet Information Services (IIS). The request may cause the server to fail or to run code of the attacker’s choice. The code would run in the security context of the IIS service.

Although Microsoft has supplied an patch for this vulnerability and recommends that users install it immediately, additional tools and preventive measures have been provided online for users to block the exploitation of this vulnerability if there is a need to assess the impact and compatibility of the patch.

By Dick O’Brien