[Am-info] Software bug bites US military

John J. Urbaniak jjurban@attglobal.net
Tue, 18 Mar 2003 07:26:51 -0500 

This is outrageous.  I believe that IBM should be cited for treason.  It
was IBM after all who gave Microsoft their monopoly and allowed this
dangerous situation to arise.

If one soldier is killed or injured because of this, that soldier's
blood is on IBM's hands.

John


Erick Andrews wrote:

> http://news.bbc.co.uk/2/hi/technology/2860189.stm
>
> --------------------------------------------------------------------
> Computer vandals have been exploiting a flaw in
> Microsoft's Windows 2000 operating system even before the
> software giant warned people of its existence.
>
> A server operated by the US Army has already been attacked
> via the security hole.
>
> If successfully exploited the loophole can give attackers
> control over a target machine.
>
> In an advisory, Microsoft called the flaw "critical" and
> has been telling customers to patch their computers in
> case they fall victim.
>
> Bad bug
>
> The flaw is present in servers running Windows 2000, up to
> and including service pack 3, and version 5.0 of
> Microsoft's Internet Information Server (IIS) software.
>
> It arises because of Microsoft's implementation of a
> program called WebDAV that lets different people remotely
> manage what is on a net server.
>
> Using a cleverly crafted HTTP request an attacker could
> exploit the flaw to gain control of a server and either
> crash it or make it run programs of their choice.
>
> Microsoft has issued an advisory about the flaw, calling
> it "critical" and said an attacker that successfully
> exploited it could gain "complete control" over a machine.
>
> The software company has also provided a patch to close
> the loophole as well as other tools to help customers
> protect themselves against attack.
>
> Often there is a hiatus between the discovery of a flaw in
> software and its active exploitation by vandals.
>
> However, in this case at least one net server has been
> attacked via the WebDAV loophole before security
> advisories have been issued.
>
> The server, belonging to the US Army, was successfully
> attacked in early March.  No serious damage was done
> because it was not connected to any important systems.
> Once patched it was attacked again.
>
> Microsoft has reportedly spent time talking to customers
> warning them to take action over the flaw.
>
> Security firm ISS has also reported seeing isolated
> attacks carried out using the WebDAV flaw.
> --------------------------------------------------------------------
>
> --
> Erick Andrews
>
> _______________________________________________
> Am-info mailing list
> Am-info@lists.essential.org
> http://lists.essential.org/mailman/listinfo/am-info