The same bug is found in Microsoft's Internet Information Server (IIS) 5.0, which is used to power many commercial Web sites and in Exchange 2000, Microsoft's flagship corporate email product.
The bug means that a specially formulated message can be used to crash these applications and render them inoperative. Although Windows 2000 is designed to restart itself whenever a service is disrupted, it is possible using a target server's URL or IP address to design a script that will repeatedly send the same malicious URL request and cause the server to black out.
David Litchfield, a security expert with @Stake and an experienced bug finder in Microsoft products, said the flaw is not as significant as one that could allow a hacker to break into a computer network, but still merits an alert.
"You can't execute arbitrary code, which would be a problem," he said. "The worst you could do is a denial of service attack. It's worth getting patched though."
Another security expert said this problem is just waiting to be exploited. "There are undoubtedly crackers and security enthusiasts trying to recreate this problem," said Paul Rogers, network security analyst with MIS corporate defence solutions. "It is quite serious that you can (do this to) Windows 2000 machines, given the number of people using it."
Rogers also noted that this latest bug is just another in a long line of exploits affecting IIS. These have been used recently to deface a number of Web sites running the Web serving application, he said.
Denial of service (DOS) attacks, which involve bombarding a target, are a relatively simple method of causing disruption to an enemy. Earlier this year, the technique was used by a Romanian hacker to crash the Undernet Internet Relay Chat servers. Last year a technique for distributing a DoS attack between a number of unwitting hosts was used to bring down some of the Internet's biggest players, including Yahoo! and eBay.
Microsoft has issued a security bulletin about the problem along a fix for both IIS 5.0 and Exchange 2000 here.