Patch issued for Windows NT flaw
The fix mends the underlying Microsoft Windows flaw that allowed an intruder to hack into a military server in March.
The software giant issued the patch for Windows 2000 in less than a week after learning of the problem, but decided to do its standard analysis to check whether the rest of its operating systems were vulnerable. The advisory and software patch for Windows NT are the result of the five-week process, said Stephen Toulouse, program manager for Microsoft's security response center.
"The reason we really didn't have an NT fix is because we had to ship the bulletin faster than we normally do," Toulouse said. "We turned around the critical Windows 2000 fix in five or six days. Once we got the Windows 2000 fix out, we resumed our process."
The flaw could allow an attacker to gain total control of an Internet-accessible computer running unpatched versions of the Windows 2000 and NT operating systems, according to the revised advisory posted to Microsoft's site.
The original flaw allowed an online attacker to take control of a military server last March by using the World Wide Web Distributed Authoring and Version (WebDAV) component of Microsoft's flagship Web server software, Internet Information Services (IIS) Server 5.0.
The vulnerability took the software giant's security group by surprise because a security researcher wasn't the source of information about the problem. Normally, a researcher or hacker who finds a vulnerability will announce the details publicly or to the software's creator. Instead, the attack on the military server was Microsoft's first notice that the flaw existed.
In
"The problem is much wider in scope than machines running IIS," Litchfield wrote in the paper.
Both Next Generation Security Software and Microsoft recommend that all Windows 2000 and NT users apply the patch. Windows XP and Windows Server 2003 are not affected by the flaw.