The software giant issued the patch for Windows 2000 in less than a week after learning of the problem, but decided to do its standard analysis to check whether the rest of its operating systems were vulnerable. The advisory and software patch for Windows NT are the result of the five-week process, said Stephen Toulouse, program manager for Microsoft's security response centre.
"The reason we really didn't have an NT fix is because we had to ship the bulletin faster than we normally do," Toulouse said. "We turned around the critical Windows 2000 fix in five or six days. Once we got the Windows 2000 fix out, we resumed our process."
The flaw could allow an attacker to gain total control of an Internet-accessible computer running unpatched versions of the Windows 2000 and NT operating systems, according to the revised advisory posted to Microsoft's site.
The original flaw allowed an online attacker to take control of a military server last March by using the World Wide Web Distributed Authoring and Version (WebDAV) component of Microsoft's flagship Web server software, Internet Information Services (IIS) Server 5.0.
The vulnerability took the software giant's security group by surprise because a security researcher wasn't the source of information about the problem. Normally, a researcher or hacker who finds a vulnerability will announce the details publicly or to the software's creator. Instead, the attack on the military server was Microsoft's first notice that the flaw existed.
In a paper published a week after Microsoft released the patch, David Litchfield, a security researcher at UK-based Next-Generation Security Software, stated that the flaw could be exploited using other operating system components, not just WebDAV.
"The problem is much wider in scope than machines running IIS," Litchfield wrote in the paper.
Both Next Generation Security Software and Microsoft recommend that all Windows 2000 and NT users apply the patch. Windows XP and Windows Server 2003 are not affected by the flaw.
1%
8%
