Windows open to attacks

Microsoft's plans for Windows Server 2003 could face further upheaval as the software giant strives to contain a flaw that is widespread among the Windows operating system family.

Although attention has so far focused on a flaw in the WebDAV file-sharing protocol and the IIS Web server, the underlying weakness is in a core operating system component, Ntdll, used by Microsoft and third-party software to share software services.

Potentially this extends the threat to the upcoming Windows Server 2003. Microsoft had already twice delayed the release-to-manufacturing (RTM) date of its new server operating system - see below - but on Friday 28 March the software giant announced that the RTM phase had begun according to the revised schedule.

The first worm exploiting the Ntdll flaw via WebDAV surfaced last Thursday, and several pieces of software to exploit the flaw have been posted on the Internet. IT managers are being advised to patch all Windows 2000 systems immediately.

David Litchfield of security firm NGS Software warned that hackers may be able to exploit the Ntdll flaw in a number of ways. "Microsoft seems to be concentrating too much on WebDAV, but this [flaw] is broader than WebDAV," he said. "There are a number of attack vectors, so, for example, if you run a Java-based Web server, you may still be vulnerable."

The extent of the flaw has raised questions over Microsoft's decision to proceed with its plan to ship Windows Server 2003 on 23 April.

Last week Stuart Okin, Microsoft's UK chief security officer, said, "I don't know if the same flaw exists in Windows 2003 Server, since it uses a slightly different NT kernel." He added that Microsoft had time to fix the new operating system before its RTM date.

Okin said a new alert would only be issued if a new threat emerged. "We tried to make it clear that our WebDAV patch fixes a core vulnerability," he said. "If the flaw is exploited by another mechanism and there is enough activity, then we'd issue another alert."

Nikos Drakos of analyst firm Gartner said: "There are changes in Windows Server 2003 to address security concerns, for example, the default settings have been altered, and non-essential services are switched off by default. Stability and performance have also improved, but the IIS Web server has not been rewritten."

Key dates:

• 9 March: WebDAV file-sharing vulnerability revealed
• 12 March: Original RTM date for Windows Server 2003
• 17 March: Microsoft releases fix for WebDAV flaw
• 19 March: Revised RTM date for Windows Server 2003
• 28 March: Second revised RTM date - RTM begins
• 23 April: Commercial release of Windows Server 2003 due

Have your say: reply to IT Week