CNET top story: Windows has a huge hole in it. (duh)
Microsoft warned customers on Monday that a security hole in Windows 2000 and the company's Web server software is allowing online attackers to take control of corporate servers. Because the vulnerability is being actively exploited by Internet vandals, Microsoft advised customers to apply a patch or use a workaround to defend against the attack as soon as possible. The flaw, known as a buffer overflow, is in a component of the software that handles the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol in Microsoft's Internet Information Server (IIS). A specially formatted Web request to the WebDAV component can overflow the memory allocated to such requests and cause another, malicious program to be run instead. The technique can be used to take control of the server. The flaw affects only IIS 5.0 on Windows 2000 servers. IIS 4.0 on Windows NT and IIS 5.1 on Windows XP are not affected. Full story here.