Critical Windows 2000 flaw found

Windows 2000 users need to patch their systems immediately to avoid hackers taking control, Microsoft has warned.

Users have discovered a flaw in the operating system's implementation of the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol.

WebDAV provides a standard for editing and file management between computers on the internet using HTTP, and is commonly used to manage web servers remotely.

If a hacker sends a specially crafted HTTP request to a server running IIS they can either shut down the server or cause it to run their code.

The flaw is not related to the new version of CodeRed II that also attacks IIS servers.

"A few customers found out about this last week and let us know," said Simon Conant, security specialist for Microsoft.

"We've been quick to write, test and release the patch and, although the problem hasn't spread, it wouldn't hurt to be fully patched."

But unusually the patch was released as the sole item in the announcement, rather than as part of a bundle of patches. This gives an indication of how seriously Microsoft is taking the problem.

Security consultants are warning the flaw is serious.

"We have verified the existence of a functional exploit tool," said Internet Security Systems' X-Force in a statement.

"This vulnerability is in itself very serious, but the existence of robust exploits in the wild dictates that fixes or temporary workarounds should be applied immediately."

Although Microsoft has supplied a patch for this vulnerability and recommends customers to install it immediately, additional tools and preventive measures have been provided to block the exploitation of this vulnerability while the software giant assesses the impact and compatibility of the patch.

Microsoft pointed to the following mitigating factors:

• URLScan, which is a part of the IIS Lockdown Tool, will block this attack in its default configurations.
• The vulnerability can only be exploited remotely if an attacker can establish a web session with an affected server.

A patch for all PCs except Japanese NEC boxes (which use a different x86 architecture) is available here.