Microsoft Looking Into New WINS Security Flaw

by Alex Woodie

Microsoft said yesterday that it's working on a security update for a new vulnerability in the Windows Internet Naming Service affecting various versions of Windows NT, Windows 2000 Server, and Windows Server 2003 that could allow an attacker to take over an affected server. Until the update is ready, Microsoft is encouraging users to close down unnecessary ports or to disable WINS altogether, which is enabled by default on only two operating systems.

The WINS vulnerability was first described last Friday by the New York security research firm Immunity, which posted exploit code on its Web site. The problem has to do with the handling of replication packets within WINS that can allow an attacker to send a specially crafted WINS replication packet to a vulnerable server.

On Sunday, security firm SANS Institute reported "some activity" regarding the WINS vulnerability in its daily Internet Storm Center log. The organization recommended blocking unneeded ports on corporate firewalls, specifically port 42. "We doubt this will be a huge thing, but we might be proven wrong," the handler on duty wrote.

On Monday, Microsoft posted an article in the help and support section of its Web site, entitled "How to help protect against a WINS security issue," saying that it was investigating the WINS problem. "As of November 26, 2004, Microsoft is not aware of any customers who have been affected by this security issue," Microsoft stated in the article.

The new WINS vulnerability won't receive any special consideration and will be dealt with by Microsoft as part of its regular update process. "As soon as this update has reached an appropriate level of quality so that customers may deploy it with confidence, we will provide the update through Windows Update," Microsoft stated in the article.

Microsoft isn't due to release any security patches until December 14. The company issues security patches on the second Tuesday of every month, which has come to be known as "Patch Tuesday." Next Thursday, however, Windows shops will be able to get a "sneak peak" at the upcoming December 14 patches as part of a new preview program the company announced last month.

Until a patch is readied, Microsoft is recommending that users block TCP and UDP ports 42 on their firewall, which are used to initiate a connection with a remote WINS server. Microsoft is also recommending that users remove WINS if they don't need it. However, removing WINS will likely cause network problems for older Windows networks that still rely on WINS.

WINS is a legacy Windows service used for translating NetBIOS-based resources, such as clients on a network, into IP addresses. Although it is slowly being phased out in favor of services based on Domain Name Service (DNS) and Lightweight Directory Access Protocol (LDAP), it is still in widespread use.

Nearly all of Microsoft's server operating systems have the potential to be affected by the WINS vulnerability, while none of the client operating systems are affected. Specifically, the WINS vulnerability affects Windows NT 4.0 Server and NT 4.0 Terminal Server Edition; Windows 2000 Server, as well as Advanced Server, Datacenter Server, and Small Business Server versions; and Windows Server 2003, including the Standard, Web, Enterprise, Datacenter, and Small Business Server versions.

The only versions of Windows that have WINS installed and activated are on Microsoft Small Business Server 2000 and Microsoft Windows Small Business Server 2003, and on these operating systems the WINS communication ports are blocked from the Internet and are available only from the local network, Microsoft says. On none of the other versions of Windows is WINS installed or enabled by default.

This isn't the first vulnerability to afflict WINS. In February, Microsoft issued a security update for a similar vulnerability in WINS that affected various operating systems, but in its worst form could be used to launch a denial-of-service attack against Windows Server 2003. In Microsoft Security Bulletin MS04-006, the company gave that WINS vulnerability an "important" rating on Windows Server 2003.