Mar 24, 2003 (07:03 PM EST)
Windows 2000 Flaw More Serious Than Initially Thought

Read the Original Article at InformationWeek

A Microsoft security flaw revealed last week is much more serious than initially thought, several security companies have said. It's important that businesses apply a new patch to all Windows 2000 systems, advisories state--not just those running Microsoft's IIS Web server software.

According to a white paper available on NGSSoftware's Web site, the flaw, which first was thought accessible only through the WebDav (World Wide Web Distributed Authoring and Versioning) component of the IIS 5.0 Web server software running on Windows 2000, actually opens non-server systems to attack. And those exploitations can come from numerous other "attack vectors," or approaches.

Other security firms, including TruSecure Corp., have issued updated alerts outlining the problem.

"This is a critical problem," said Russ Cooper, TruSecure's surgeon general and primary security expert. "It's one of those rare instances where we recommend that a patch must be applied, and applied immediately."

The problem, said Cooper, stems from a buffer overflow vulnerability of the NTDLL.DLL, which is universal among all Windows 2000 machines. The vulnerability can be exploited by a number of attack vectors, beyond the initially reported WebDav component. "A file could come as an attachment and exploit this," said Cooper. "A Web page might invoke an attack, a file you find on an FTP site, even an MPEG image or MP3 file. Basically anything related to file handling could be used by attackers."

TruSecure had information that other attack vectors against NTDLL.DLL were known to the so-called "black hat" community. "It is therefore likely that within the near future multiple attacks attempting to exploit the vulnerability in NTDLL.DLL may surface and be used against your systems," a TruSecure security advisory said.

"We expect that a worm attack similar to Nimda will eventually be created using this vulnerability as a primary mechanism," said TruSecure's alert. "Such a broad 'zero day' attack could be orchestrated as soon as 7 to 10 days, and is likely in the next month."

Symantec Corp., which is also aware of the problem, hasn't seen widespread attacks exploiting this vulnerability, but like TruSecure, advocates applying the patch. "Because we're starting to see exploits," said Oliver Friedrichs, a senior manager with Symantec Security Response, "now is the time to buckle down and install this patch."

Not only is the vulnerability a "zero day" event, it's one that absolutely requires a patch, said Cooper. "Any Windows 2000 server or Windows 2000 workstation that has not already installed this patch must do immediately," he urged.

A zero day event is one in which an attack is launched almost immediately after a flaw is discovered.

NGSSoftware's white paper made the same strong recommendation. "Every Windows 2000 server or workstation should be patched, and patched as soon as possible--regardless of whether the box is running IIS or not," the paper stated.

Numerous groups, including the CERT Coordination Center and Microsoft itself, have urged Windows 2000 users to apply the patch available on the Microsoft Web site.

"Critical machines, such as those on the perimeter of a network, must be patched immediately," said TruSecure's Cooper. After those perimeter servers have been fixed, he recommends that businesses apply the patch to internal PCs as quickly as possible.

Systems running Windows 2000 Advanced Server, Server, or Professional with either Service Pack 2 or Service Pack 3 installed, are vulnerable, TruSecure says. Since Microsoft no longer supports Windows 2000 with pre-Service Pack 2 installations, the company has not confirmed that such nstallations are not vulnerable.