Microsoft security attack tool published on Net

Two days after Microsoft Corp. announced an "extremely serious" flaw in its Windows 2000 server software, a tool to take advantage of that flaw is being passed around the Internet.

Microsoft said Tuesday that a part of its Internet Information Services (IIS) 5.0 is vulnerable to a technique that would allow an attacker to take virtually total control over a server running the software Microsoft issued a patch for the problem on Tuesday. Since then, a tool to attack the flaw, called an "exploit," has been published online and distributed on various Internet mailing lists.

The flaw, which allows a buffer overflow attack against an extension which enables printing across the Internet, was originally discovered by security firm eEye Digital Security in the course of testing one of its own products about 10 days before Microsoft publicized the problem. EEye has since published its own exploit for taking advantage of the hole on its Web site.

Microsoft was not surprised that an exploit became available so quickly, as "attack tools are developed for virtually all published security vulnerabilities," according to a Microsoft spokeswoman.

The company spread the word about the flaw and its fix so broadly on Tuesday because it knew the exploit would come eventually, the spokeswoman said. If IIS server customers have applied the patch, they will not be vulnerable to the exploit, the spokeswoman said, but added that if the patch has not been applied, the availability of a tool to attack the hole should serve as "a reminder of the need to (update) immediately."

The company's original security bulletin can be found at http://www.microsoft.com/technet/security/current.asp. The patch is located at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29321.