Microsoft WebDAV flaw causes alarm

The recently discovered security flaw in Microsoft's Web-based Distributed Authoring and Versioning (WebDAV) protocol for IIS server is more serious than was first thought, according to a UK security firm.

Although the flaw had mainly been associated with IIS 5.0 running on Windows 2000, security firm Next Generation Security Software (NGSS) warns in a white paper that the bug can be exploited across a wider range of software.

"It must be stressed that IIS was simply the attack vector; the method or route used to actually exploit the flaw. The problem, however, is much wider in scope than just simply machines running IIS," said NGSS researcher David Litchfield in a statement.

He added that researchers at NGSS have isolated many more attack vectors, including java-based web servers and other non-WebDav related issues in IIS.

The firm also believes that several new attack vectors will come to light over the next few weeks.

"There are too many ways for an attacker to 'access' the vulnerability," said Litchfield. "Likely areas will be non-Microsoft web and ftp servers, Imap servers, antivirus solutions and other Windows Services."

Other security firms have already verified the existence of functional exploit tools being traded on the hacker underground.

The advice is to patch every Windows 2000 server or workstation, regardless of whether or not it is running IIS.The NGSS paper can be found here.