[ISN] Microsoft warns of exploit in Windows 2000, IIS

From: InfoSec News (isnat_private)
Date: Tue Mar 18 2003 - 05:40:44 PST

  • Next message: InfoSec News: "[ISN] More Net Attacks Loom, CERT Says"

    By Paul Roberts
    IDG News Service
    Microsoft said Monday that it discovered a critical security
    vulnerability in a component of its Windows 2000 operating system that
    could enable a remote attacker to gain total control of a machine
    running Windows 2000 and Microsoft's Internet Information Server (IIS)  
    Web server.
    A company spokesman said that Microsoft has also received isolated
    reports of attacks that exploit the new vulnerability.
    An unchecked buffer in a Windows 2000 component used to handle the
    World Wide Web Distributed Authoring and Versioning (WebDAV) protocol
    could enable an attacker to cause a buffer overflow on the machine
    running IIS, according to the Microsoft Security bulletin MS03-007.
    WebDAV is a set of extensions to HTTP that allows users to edit and
    manage files on remote Web servers. The protocol is designed to create
    interoperable, collaborative applications that facilitate
    geographically dispersed "virtual" software development teams.
    Attackers could mount a denial of service (DoS) attack against such
    machines or execute their own malicious code in the security context
    of the IIS service, giving them unfettered access to the vulnerable
    system, Microsoft said.
    Attacks could come in the form of malformed WebDAV requests to a
    machine running IIS version 5.0. Because WebDAV requests typically use
    the same port as other Web traffic (Port 80), attackers would only
    need to be able to establish a connection with the Web server to
    exploit the vulnerability, Microsoft said.
    Machines running the Windows NT and Windows XP operating systems are
    not vulnerable, according to Microsoft.
    Microsoft provided a patch for the WebDAV vulnerability and
    recommended that customers using IIS version 5.0 on Windows 2000 apply
    that patch at the earliest possible opportunity.
    Internet Security Systems detected an attack that used the
    vulnerability on one of its scanners late last week, according to Dan
    Ingevaldson, team leader of X-Force research and development at ISS.
    The company was able to isolate the attack and identify the
    vulnerability it exploited, ISS informed Microsoft, but said that the
    problem was alreaady known to Microsoft at that point, according to
    Because of reports of active attacks exploiting the WebDAV
    vulnerability, an updated version of Microsoft's IIS Lockdown Tool was
    also released for organizations that are unable to immediately install
    the patch, or that do not need to run IIS.
    The Lockdown Tool turns off unnecessary features of IIS, reducing the
    openings available to attackers, Microsoft said.
    ISS is warning administrators to familiarize themselves with the
    Lockdown Tool before using it. The tool's deisgn and complex options
    can often lead administrators to believe that they have disabled
    options when they have not, according to Ingevaldson.
    ISS included information in its alert that explains how to properly
    use the Lockdown Tool and verify that WebDAV is disabled, Ingevaldson
    Other utilities were provided for organizations that require the use
    of IIS, but could not apply the patch or deploy the Lockdown Tool.
    The latest announcement recalls earlier Microsoft vulnerabilities that
    set the stage for the devastating Code Red and NIMDA worms, according
    to Ian Hameroff, a security strategist at CA.
    Adding to the danger of the new vulnerability is the fact that many
    administrators may not know that they have the WebDAV serbicve enabled
    on their ISS server, Hameroff said.
    The service is enabled by default on ISS 5, according to Hameroff.
    CA is encouraging its customers to follow Microsoft's instructions for
    patching ISS or for shutting down the vulnerable WebDAV component on
    their ISS Web server.
    "Were warning our users that this is an open door to their business
    that needs to be shut," Hameroff said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 18 2003 - 08:15:41 PST