Microsoft says 'critical' vulnerability threatens Windows 2000

Microsoft has discovered a "critical" security vulnerability in a component of its Windows 2000 operating system.

Microsoft has discovered a critical security vulnerability in a component of its Windows 2000 operating system .

The flaw could enable a remote attacker to gain total control of a machine running Windows 2000 and Microsoft's Internet Information Server (IIS) Web server.

A Microsoft spokesman said Microsoft had also received isolated reports of attacks that exploit the new vulnerability.

An unchecked buffer in a Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol could enable an attacker to cause a buffer overflow on the machine running IIS, the spokesman added.

Attackers could mount a denial of service (DoS) attack against the latest vulnerability in Windows 2000 or execute their own malicious code in the security context of the IIS service, giving them unfettered access to the vulnerable system.

Machines running the Windows NT and Windows XP operating systems are not vulnerable, Microsoft said.

Microsoft has provided a patch for the WebDAV vulnerability and recommended that customers using IIS version 5.0 on Windows 2000 apply that patch at the earliest possible opportunity.

The security warning comes as Microsoft prepares to release the next version of its operating system, Windows 2003, next month. Last year the software giant also launched a "Trustworthy Computing" initiative in a bid to improve the security of its promises.

Security specialist Internet Security Systems (ISS) detected an attack that used the vulnerability on one of its scanners late last week, said Dan Ingevaldson, team leader of X-Force research and development at ISS.

The company was able to isolate the attack and identify the vulnerability it exploited. ISS informed Microsoft, but said that the problem was already known to Microsoft at that point, according to Ingevaldson.

Because of reports of active attacks exploiting the WebDAV vulnerability, an updated version of Microsoft's IIS Lockdown Tool was also released for organisations unable to install the patch immediately, or that do not need to run IIS.

Microsoft said the Lockdown Tool turns off unnecessary features of IIS, reducing the openings available to attackers.

Read more on IT risk management