[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated:  Tuesday, 18 March, 2003, 11:13 GMT
Software bug bites US military
US soldier, AP
Military computers have been attacked via the flaw
Computer vandals have been exploiting a flaw in Microsoft's Windows 2000 operating system even before the software giant warned people of its existence.

A server operated by the US Army has already been attacked via the security hole.

If successfully exploited the loophole can give attackers control over a target machine.

In an advisory, Microsoft called the flaw "critical" and has been telling customers to patch their computers in case they fall victim.

Bad bug

The flaw is present in servers running Windows 2000, up to and including service pack 3, and version 5.0 of Microsoft's Internet Information Server (IIS) software.

It arises because of Microsoft's implementation of a program called WebDAV that lets different people remotely manage what is on a net server.

Using a cleverly crafted HTTP request an attacker could exploit the flaw to gain control of a server and either crash it or make it run programs of their choice.

Microsoft has issued an advisory about the flaw, calling it "critical" and said an attacker that successfully exploited it could gain "complete control" over a machine.

The software company has also provided a patch to close the loophole as well as other tools to help customers protect themselves against attack.

Often there is a hiatus between the discovery of a flaw in software and its active exploitation by vandals.

However, in this case at least one net server has been attacked via the WebDAV loophole before security advisories have been issued.

The server, belonging to the US Army, was successfully attacked in early March. No serious damage was done because it was not connected to any important systems. Once patched it was attacked again.

Microsoft has reportedly spent time talking to customers warning them to take action over the flaw.

Security firm ISS has also reported seeing isolated attacks carried out using the WebDAV flaw.

Warning of serious Windows hole
21 Nov 02 |  Technology
Microsoft warns about security holes
23 Aug 02 |  Technology
Aggressive net bug makes history
03 Feb 03 |  Technology
Web worm suspects bailed
07 Feb 03 |  Technology
Mobile virus threat looms large
28 Jan 03 |  Technology

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific