Military computers have been attacked via the flaw
|
Computer vandals have been exploiting a flaw in Microsoft's Windows 2000 operating system even before the software giant warned people of its existence.
A server operated by the US Army has already been attacked via the security hole.
If successfully exploited the loophole can give attackers control over a target machine.
In an advisory, Microsoft called the flaw "critical" and has been telling customers to patch their computers in case they fall victim.
Bad bug
The flaw is present in servers running Windows 2000, up to and including service pack 3, and version 5.0 of Microsoft's Internet Information Server (IIS) software.
It arises because of Microsoft's implementation of a program called WebDAV that lets different people remotely manage what is on a net server.
Using a cleverly crafted HTTP request an attacker could exploit the flaw to gain control of a server and either crash it or make it run programs of their choice.
Microsoft has issued an advisory about the flaw, calling it "critical" and said an attacker that successfully exploited it could gain "complete control" over a machine.
The software company has also provided a patch to close the loophole as well as other tools to help customers protect themselves against attack.
Often there is a hiatus between the discovery of a flaw in software and its active exploitation by vandals.
However, in this case at least one net server has been attacked via the WebDAV loophole before security advisories have been issued.
The server, belonging to the US Army, was successfully attacked in early March. No serious damage was done because it was not connected to any important systems. Once patched it was attacked again.
Microsoft has reportedly spent time talking to customers warning them to take action over the flaw.
Security firm ISS has also reported seeing isolated attacks carried out using the WebDAV flaw.