Windows Flaw More Serious Than First Thought

An outside analysis demonstrates that IIS is not the only attack vector. All Windows 2000 users should apply patch immediately.

An analysis by security vulnerability research company NGS Software demonstrates that earlier reports and Microsofts Security Bulletin on what was apparently a vulnerability in IIS understated the depth of the problem. In fact, the problem is based in more fundamental functions of Windows 2000 and many other modes of attack, other than through WebDAV, are possible.

The implications of this are serious. We and others had reported that there were effective workarounds to the problem for those uncomfortable with applying the patch, but it appears that these will prove inadequate. As reported on the NTBugTraq mailing list, we should expect new attacks through other vectors against Windows 2000 systems generally, both clients and servers. All users should apply the patch as soon as possible.