Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Microsoft WINS Still Under Attack

A Windows Internet Name Service vulnerability, which Microsoft has patched, remains in the news following an alert from the SANS Institute of what it believes is a rising level of attacks on TCP Port 42 (the port commonly used for WINS).

Here's the quick history: on August 11, Microsoft issued a "critical" security update, entitled "Vulnerabilities in WINS Could Allow Remote Code Execution."  WINS is Microsoft's homegrown implementation of a NetBIOS name server. It maps NetBIOS names to IPv4 addresses. According to the MS bulletin, "This security update resolves two privately reported vulnerabilities in the Windows Internet Name Service (WINS). Either vulnerability could allow remote code execution if a user received a specially crafted WINS replication packet on an affected system running the WINS service. By default, WINS is not installed on any affected operating system version. Only customers who manually install this component are affected by this issue."

The SANS Institute security newsletter provides a more functional explanation of the problems: "Two vulnerabilities have been identified in WINS which can be triggered by a specially crafted WINS network packet. The first issue is a heap overflow vulnerability caused due to an error in the calculation of buffer length while processing WINS push packets. The second issue is integer overflow vulnerability in WINS caused due to inadequate checks on the data structures within WINS network packets."

The SANS Internet Storm Center says the "vulnerability is [being] actively exploited in the wild."

The vulnerabilities affect various revs of Windows Server 2000 and Windows Server 2003, but Microsoft says you're okay if you have automatic updating turned on. If not, there's a downloadable patch. Eric Schultze of Shavlik Technologies adds, on his blog: "This attack is most likely to come from inside your network as the necessary ports to execute the attack are usually blocked at the Internet firewall.  Patch this right away on your WINS servers."

Follow me on Twitter.

Write to me at [email protected].