March 17, 2003 12:09 PM PST
Security hole in Windows 2000 servers
Because the vulnerability is being actively exploited by Internet vandals, Microsoft advised customers to apply a patch or use a workaround to defend against the attack as soon as possible.
"We have had isolated reports from customers that (the flaw) is getting exploited," said Iain Mulholland, security program manager for Microsoft's security response center. "We have issued a number of workaround options. Ultimately, the only way to protect yourself is apply a patch, but we respect companies' need to test first."
The incident nearly embodies a worst-case scenario for how a vulnerability should be discovered. Companies generally hope that researchers will discover a flaw, inform the software maker, and then wait to announce the flaw until a patch is prepared. When online vandals have access to a "zero day" vulnerability--a flaw that companies aren't warned of--they can break into far more computers before software makers understand what is going on.
In this case, Microsoft learned of the vulnerability after online hackers used the flaw to breach the security of a customer's Web servers last Wednesday, Mulholland said. He said the incident is being investigated by federal law enforcement.
Atlanta-based Internet Security Systems also had a customer affected and confirmed that a tool to take advantage of the flaw is being distributed on the Internet.
Still, attacks are not yet widespread, said Dan Ingevaldson, team leader for Internet Security Systems' research and development group. "We have sensors that are deployed all over the world, and we have not seen them light up with this attack," he said. "So we believe the incidents are contained at this point, but we don't expect that to last very long."
The flaw, known as a buffer overflow, is in a component of the software that handles the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol in Microsoft's Internet Information Server (IIS). A specially formatted Web request to the WebDAV component can overflow the memory allocated to such requests and cause another, malicious program to be run instead. The technique can be used to take control of the server.
The flaw affects only IIS 5.0 on Windows 2000 servers. IIS 4.0 on Windows NT and IIS 5.1 on Windows XP are not affected.
How quickly the patch and workarounds get applied is a big question for the software giant. In the past, system administrators have been slow to apply the software fixes. Patches released six months before the Slammer worm didn't prevent that malicious program from spreading to nearly 200,000 Microsoft SQL servers.
This time around, the company doesn't have a head start on those abusing the flaw. Whether that threat spurs companies to apply the patches more quickly remains to be seen.