Microsoft publishes alert, warns of exploit

Microsoft (MS) has discovered a critical security vulnerability in a component of its Windows 2000 operating system that could enable a remote attacker to gain total control of a machine running Windows 2000 and Microsoft's Internet Information Server (IIS) Web server.

The company said that it had also received isolated reports of attacks that exploit the new vulnerability.

An unchecked buffer in a Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol could allow an attacker to cause a buffer overflow on the machine running IIS, according to the Microsoft Security bulletin MS03-007. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp.)

WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.

Attackers could mount a denial of service (DoS) attack against such machines or execute their own malicious code in the security context of the IIS service, giving them unfettered access to the vulnerable system, Microsoft said.

Attacks could come in the form of malformed WebDAV requests to a machine running IIS version 5.0. Because WebDAV requests typically use the same port as other Web traffic (Port 80), attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability, Microsoft said.

Machines running the Windows NT and Windows XP operating systems were not vulnerable, according to Microsoft.

Microsoft provided a patch for the WebDAV vulnerability and recommended that customers using IIS version 5.0 on Windows 2000 apply that patch at the earliest possible opportunity.

Internet Security Systems (ISS) detected an attack that used the vulnerability on one of its scanners late last week, , team leader of X-Force research and development at ISS, Dan Ingevaldson, said.

The company was able to isolate the attack and identify the vulnerability it exploited, Ingevaldson said. ISS informed Microsoft, but said that the problem was already known to Microsoft at that point.

Because of reports of active attacks exploiting the WebDAV vulnerability, an updated version of Microsoft's IIS Lockdown Tool was also released for organisations that are unable to immediately install the patch, or that do not need to run IIS.

The Lockdown Tool turned off unnecessary features of IIS, reducing the openings available to attackers, Microsoft said.

ISS is warning administrators to familiarise themselves with the Lockdown Tool before using it.

The tool's design and complex options can often lead administrators to believe that they hadisabled options when they have not, Ingevaldson said.

ISS included information in its alert that explained how to properly use the Lockdown Tool and verify that WebDAV was disabled, he said.

Other utilities were provided for organisations that require the use of IIS, but could not apply the patch or deploy the Lockdown Tool.

The latest announcement recalled earlier Microsoft vulnerabilities that set the stage for the devastating Code Red and NIMDA worms, a security strategist at Computer Associates International, Ian Hameroff, said.

Adding to the danger of the new vulnerability was the fact that many administrators might not know that they had the WebDAV service enabled on their IIS server, Hameroff said.

The service was enabled by default on IIS 5, he said.

Computer Associates is encouraging its customers to follow Microsoft's instructions for patching IIS or for shutting down the vulnerable WebDAV component on their IIS Web server. "We're warning our users that this is an open door to their business that needs to be shut," Hameroff said.

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesInternet Security SystemsISS GroupMicrosoftSecurity SystemsX-Force

Show Comments
[]