Screaming Penguin - Source Does Matter

Really. Its not just me making up stuff about IIS because of my open source evangelical bias that so infects my understanding of the world.

This time an Army computer was attacked on March 10. It was Windows 2000 with IIS5. It already had the latest IIS buffer overflow patch installed. It was discovered by Army IT (an oxymoron indeed if they are using Win2K and IIS, ok a little bias slipped in there, sorry) and so they rebuilt it entirely including re-installing the patch. It was compromised again "almost immediately". Nice.

The compromised machine displayed the text "Welcome to the Unicorn Beachhead" and was being actively used for scanning of other machines on the network.

The Army contacted Microsoft. At first Microsoft said they were unaware of another buffer overflow or exploit of any kind, then "Within hours, however, Microsoft appeared to be in a high state of alert about the problem." It turns out to be a new vulnerability in IIS concerning WebDAV.

Long story short, Microsoft did get a new patch out but it has some issues: "Yesterday Microsoft announced that the MS03-007 patch was incompatible with 12 software fixes for Windows 2000 issued by Microsoft's Product Support Services (PSS) between December 2001 and February 2002."

So because the exploit works, and there is already a circulating method of employing the exploit, it has been predicted by TruSecure that a new worm will arrive within a week.

The bottom line, get the incompatible patch or disable webdav, or get the real patch.

See the linked CW360 article for more details. (That is if their server is up, its IIS ;).)   Hacker exploits US Army web server vulnerability: CW360