Microsoft said Monday that it discovered a critical security vulnerability in a component of its Windows 2000 operating system that could enable a remote attacker to gain total control of a machine running Windows 2000 and Microsoft's Internet Information Server (IIS) Web server.

A company spokesman said that Microsoft has also received isolated reports of attacks that exploit the new vulnerability.

An unchecked buffer in a Windows 2000 component used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol could enable an attacker to cause a buffer overflow on the machine running IIS, according to the Microsoft Security bulletin MS03-007.

WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.

Attackers could mount a denial of service (DoS) attack against such machines or execute their own malicious code in the security context of the IIS service, giving them unfettered access to the vulnerable system, Microsoft said.

Attacks could come in the form of malformed WebDAV requests to a machine running IIS version 5.0. Because WebDAV requests typically use the same port as other Web traffic (Port 80), attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability, Microsoft said.

The IDG News Service is a Network World affiliate.