Microsoft Confirms WINS Flaw

Microsoft Corp. has issued a workaround for a newly discovered security issue in WINS (Windows Internet Name Service) that could lead to malicious code execution.

Just days after research outfit Immunity Inc. issued an advisory, Redmond confirmed that the WINS vulnerability could make it possible for an attacker to take control of a WINS server remotely.

The issue affects Microsoft Windows NT 4.0 Server, Microsoft Windows NT Server 4.0 Terminal Server Edition, Windows 2000 Server, and Windows Server 2003.

Windows 2000 Pro, Windows XP and Windows Millennium Edition (ME) are not affected by this vulnerability, according to the company. By default, WINS is not installed on any versions of Microsoft Windows.

Secunia released a separate advisory with a "moderately critical" flaw rating.

WINS is a NetBIOS name server used to determine the IP address associated with a particular network computer. The flaw exists in the WINS replication feature that allows one or more WINS servers to exchange information with each other about the computers on their respective networks.

In a Knowledge Base article released Sunday, the software giant recommended that WINS users block TCP port 42 and UDP 42 at the firewall level.

"These ports are used to initiate a connection with a remote WINS server," the article said. "Blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. It is possible that other ports may be found that could be used to exploit this vulnerability.

"The ports that are listed are the most common attack vectors. We recommend blocking all incoming unsolicited communication from the Internet."

Microsoft officials also said organizations that don't need WINS should remove it from affected Windows systems. Detailed instructions for removing WINS is provided in the company's workaround notice.

Click here to read about a flaw in Microsoft's ISA Server that could allow an attacker to spoof trusted Internet content.

Affected customers should also consider using the IP Security protocol to secure traffic between WINS Server Replication Partners.

Microsoft said a full-fledged fix is in development and will be released as part of its monthly patching cycle.

It is the second time this year that Microsoft will be releasing a fix for WINS. In February, the company's MS04-006 patch corrected a code-execution bug in the method used by WINS to validate the length of specially crafted packets.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.