Exploiting this vulnerability can lead to the ability for the attacker to run any code they want using the security context of IIS (typically IIS runs as LocalSystem). With such a large installed base of Windows 2000 IIS servers around the world, and an equal or greater number of Windows 2000 servers that have IIS installed by default and may not even realize it is enabled, this presents a pretty serious issue.
The problem is that it may not present the whole issue. Microsoft rushed to create a patch and issue their bulletin after a U.S. Military server had already been compromised through this vulnerability. The fact that the patch and the Security Bulletin focus on WebDAV seems to be a direct reflection of the fact that this was the method used in the server compromise.
The DLL at the heart of the problem however is ntdl.dll- a core system DLL that is not related to WebDAV or even to IIS for that matter. There are other applications that can call functions from ntdl.dll. Just as important, there are many other DLL’s which rely on the vulnerable function as well.
David Lichtfield of NGSSoftware says “security researchers at NGSSoftware have already discovered several new attack vectors and believe there will be many that will come to light over the next few weeks.”
With so many potential methods of exploiting the vulnerability it is probably only a matter of time before a malicious programmer develops another exploit or possibly even a worm that capitalizes on it. Essentially, all Windows 2000 systems- servers and workstations- are vulnerable, not just those running IIS 5.0 with WebDAV enabled. All Windows 2000 systems need to apply the patch as soon as possible or risk being a statistic.