[Am-info] Software bug bites US military

Erick Andrews Erick Andrews" <eandrews@star.net
Tue, 18 Mar 2003 08:02:09 -0500 (EST) 

http://news.bbc.co.uk/2/hi/technology/2860189.stm

--------------------------------------------------------------------
Computer vandals have been exploiting a flaw in
Microsoft's Windows 2000 operating system even before the
software giant warned people of its existence.

A server operated by the US Army has already been attacked
via the security hole.

If successfully exploited the loophole can give attackers
control over a target machine.

In an advisory, Microsoft called the flaw "critical" and
has been telling customers to patch their computers in
case they fall victim.

Bad bug

The flaw is present in servers running Windows 2000, up to
and including service pack 3, and version 5.0 of
Microsoft's Internet Information Server (IIS) software.

It arises because of Microsoft's implementation of a
program called WebDAV that lets different people remotely
manage what is on a net server.

Using a cleverly crafted HTTP request an attacker could
exploit the flaw to gain control of a server and either
crash it or make it run programs of their choice.

Microsoft has issued an advisory about the flaw, calling
it "critical" and said an attacker that successfully
exploited it could gain "complete control" over a machine.

The software company has also provided a patch to close
the loophole as well as other tools to help customers
protect themselves against attack.

Often there is a hiatus between the discovery of a flaw in
software and its active exploitation by vandals.

However, in this case at least one net server has been
attacked via the WebDAV loophole before security
advisories have been issued.

The server, belonging to the US Army, was successfully
attacked in early March.  No serious damage was done
because it was not connected to any important systems.
Once patched it was attacked again.

Microsoft has reportedly spent time talking to customers
warning them to take action over the flaw.

Security firm ISS has also reported seeing isolated
attacks carried out using the WebDAV flaw.
--------------------------------------------------------------------

-- 
Erick Andrews