Windows 2000 Security Flaw Attacked Before Patch Was AvailableWindows 2000 Security Flaw Attacked Before Patch Was Available

Security companies are warning users that hacker attacks against a security flaw found in Windows 2000 servers, just disclosed Monday, have been under way for about a week. "It's a zero-day attack," says Russ Cooper, editor of NTBugtraq and surgeon general of security firm TruSecure Corp. "This is a very rare event."

A zero-day attack is when hackers attack vulnerabilities within systems before companies have been warned of the security hole.

From information gleaned from TruSecure's intelligence-gathering services, Cooper says, a Web server run by the U.S. Army was struck last week by an attacker exploiting the vulnerability. The vulnerability, an unchecked buffer, is found in Microsoft's Web-based Distributed Authoring and Versioning (WebDav) component in the company's Internet Information Services software. The flaw is found only in versions of IIS 5.0 on Windows 2000 servers. Other versions are not affected, according to Microsoft.

The flaw could allow an attacker to gain complete control of vulnerable systems, experts warn.

Cooper says he was in contact with the Pentagon and that officials there were not aware of any such comprise. "This leads me to believe that the affected system is not a critical system," Cooper says.

Hackers are already well aware of the new Microsoft vulnerability. Internet Security Systems Inc. is reporting that "this vulnerability is currently being exploited in the wild." The company says it has verified that a functioning hacker tool to exploit the vulnerability is available on the Internet.

Ian Hameroff, a security strategist for Computer Associates, says this vulnerability could remind systems administrators of the business interruptions caused by Code Red in the summer of 2001. Code Red spread rapidly throughout the Internet, infecting thousands of servers in a matter of hours. "CA is warning that this is an open door to your business. Let's shut it before it becomes the next Code Red or Nimda, leading to serious business interruption," Hameroff says.

Since a functional exploit tool is already available, Hameroff says businesses need to fix this hole immediately by disabling the WebDav component. Cooper agrees. "If you're not using WebDav, just turn it off. If you absolutely have to use WebDav, then apply the patch."

More information, including the patch, is available on Microsoft's Web site.