guyver01
Lifer
Microsoft Corp. announced on Monday that it had uncovered a critical security vulnerability in a component of Windows 2000 operating system, which could enable a remote attacker to gain control of a system running Windows 2000 and Internet Information Server (IIS) Web server. Microsoft has also reported receiving isolated reports of attacks that exploited this vulnerability.
Vulnerability Description:
An unchecked buffer in the Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol could allow an attacker to cause a buffer overflow on a machine running IIS 5.0. (WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers. The protocol is designed to create collaborative applications that facilitate geographically distant software development teams.)
Vulnerability Exploitation:
Attackers could mount a denial-of-service attack against vulnerable machines or execute their own code in the security context of the IIS service, possibly gaining control of vulnerable systems. Attacks could come in the form of malformed WebDAV requests to a system running IIS Version 5.0. WebDAV requests typically use the same port as other Web traffic (Port 80) - attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability.
Vulnerable Systems:
Windows 2000 systems running IIS Version 5.0 are vulnerable:
- IIS 5.0 is installed by default on all server versions of Windows 2000. (It is NOT installed on Windows 2000 Professional by default.)
- Windows NT and XP systems are not vulnerable.
Remedial Actions:
Microsoft has provided a patch for the WebDAV vulnerability and recommends that customers using IIS Version 5.0 on Windows 2000 apply that patch at the earliest possible opportunity. An updated version of Microsoft's IIS Lockdown Tool was also released for organizations that are unable to immediately install the patch or that do not need to run IIS. The Lockdown Tool disables unnecessary features of IIS, reducing the vulnerability to attacker. Other utilities were provided for organizations that require the use of IIS but can't apply the patch or deploy the Lockdown Tool.
Recommendations:
- If IIS is not required, administrators are advised to remove or disable it at the earliest opportunity.
- If IIS is required, immediate application of the recommended security patch is advised. If this is not possible, system administrators are advised to run the Lockdown tool to secure IIS.
IIS LockDown Tool/URLScan
U.S. military computer attacked by this Previously undiscovered flaw
Microsoft Security Bulletin MS03-007
Vulnerability Description:
An unchecked buffer in the Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol could allow an attacker to cause a buffer overflow on a machine running IIS 5.0. (WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers. The protocol is designed to create collaborative applications that facilitate geographically distant software development teams.)
Vulnerability Exploitation:
Attackers could mount a denial-of-service attack against vulnerable machines or execute their own code in the security context of the IIS service, possibly gaining control of vulnerable systems. Attacks could come in the form of malformed WebDAV requests to a system running IIS Version 5.0. WebDAV requests typically use the same port as other Web traffic (Port 80) - attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability.
Vulnerable Systems:
Windows 2000 systems running IIS Version 5.0 are vulnerable:
- IIS 5.0 is installed by default on all server versions of Windows 2000. (It is NOT installed on Windows 2000 Professional by default.)
- Windows NT and XP systems are not vulnerable.
Remedial Actions:
Microsoft has provided a patch for the WebDAV vulnerability and recommends that customers using IIS Version 5.0 on Windows 2000 apply that patch at the earliest possible opportunity. An updated version of Microsoft's IIS Lockdown Tool was also released for organizations that are unable to immediately install the patch or that do not need to run IIS. The Lockdown Tool disables unnecessary features of IIS, reducing the vulnerability to attacker. Other utilities were provided for organizations that require the use of IIS but can't apply the patch or deploy the Lockdown Tool.
Recommendations:
- If IIS is not required, administrators are advised to remove or disable it at the earliest opportunity.
- If IIS is required, immediate application of the recommended security patch is advised. If this is not possible, system administrators are advised to run the Lockdown tool to secure IIS.
IIS LockDown Tool/URLScan
U.S. military computer attacked by this Previously undiscovered flaw
Microsoft Security Bulletin MS03-007
