Microsoft issued updates to security bulletins on Wednesday, fixing two recent software patches.
The updates were for MS03--007, which was originally released in March, and MS03-013, originally released in April.
MS03-007 patched a serious vulnerability in a common Windows component, "ntdll.dll." The vulnerability, which affected a component used by the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol, gave attackers the ability to remotely exploit vulnerable servers using specially formed HTTP (Hypertext Transfer Protocol) requests. (See http://www.microsoft.com/technet/security/bulletin/MS03-007.asp.)
Microsoft's original patch fixed the problem for Windows 2000 Servers running Version 5.0 of the Internet Information Server (IIS), a platform that was actively being exploited when the patch was released.
Microsoft acknowledged at the time that the vulnerability affected Windows NT 4.0 as well, but did not supply a patch for that platform, noting that WebDAV was not supported on NT 4.0. Observing that the WebDAV protocol was only one way to exploit the underlying vulnerability, on Wednesday Microsoft updated the patch, adding fixes for the ntdll.dll vulnerability on the NT 4.0 platform and or the Windows XP platform, which is also vulnerable.
WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The extensions are designed to create interoperable, collaborative applications that allow geographically-dispersed software development teams to work together in an online "virtual" environment.
The company also issued a fix for MS03-013, a patch that was first released in April and then found to cause performance problems on the machines of some customers running the Windows XP operating system with the Service Pack 1 patch.
The revised version of the MS03-013 patch corrects the performance problems caused by the patch, Microsoft said.