Flaw opens crack in Windows servers

A flaw in popular Windows server software could allow remote attacks to be launched against systems, Microsoft has confirmed.

The vulnerability is in Windows Internet Name Service, or WINS, a network infrastructure component of server products such as Windows NT 4.0 Server, Windows 2000 Server and Windows Server 2003, Microsoft said Tuesday. The company has issued a temporary work-around for the problem while it works on an update to fix the vulnerability.

The problem, first made public last Friday by security software maker Immunity, is being defined by Microsoft as a "a remote buffer overflow" flaw that could enable an attacker to run malicious software on vulnerable servers.

Microsoft said its Windows 2000 Professional, Windows XP and Windows Me products are not affected by the security hole. Security company Secunia has rated the flaw "moderately critical."

WINS is a server-naming tool used to identify the IP address of specific computers on a network. The problem affects a replication function in the software that allows servers loaded with WINS to communicate. Microsoft pointed out that the infrastructure tool is not turned on by default and said the feature is not typically used by network administrators on Internet-facing servers.

The company said it has not been informed of any actual exploits of the WINS flaw, but that it will continue to monitor the situation.

A Microsoft representative said the company is working on a permanent fix for the vulnerability, which it plans to release as part of its normal monthly update process. For the time being, it is advising customers to simply turn off the WINS function if not needed on servers. It also suggests blocking several ports, including TCP port 42 and UDP port 42, at their network firewalls, or using IP security to protect traffic between WINS-capable servers. Other details of the work-around are available on Microsoft's Knowledge Base Web site.

The disclosure of the WINS flaw revived an ongoing debate over how much time security companies should give software makers to patch a vulnerability before they make the flaw public. The Microsoft representative said the company was "concerned that the vulnerability was disclosed irresponsibly" by Immunity and that tools designed to exploit the problem have been made publicly available as a result.

"Microsoft believes the presence of exploit code for vulnerabilities that have not been addressed by an update puts customers at risk from attack by criminals," the Microsoft representative said.

"Microsoft continues to encourage responsible disclosure of software vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," the representative added.

Calls seeking comment from Immunity on its reports of the flaw were not immediately returned.

[Dachi]

Microsoft gets something right.

WINS like most other server functions (IIS included) is off by default in 2003. And because of this decision this attack is not a very serious issue. This vulnerability should serve as an example of why reducing services in listening state on both Windows client and server should be places as high priority.

The attitude that "it is on by default, but we audited the code and it is secure" simply does not fly, especially not from Microsoft.


Now if only they can focus on reducing listening state applications on their client operating system rather than masking the problem with a firewall.

If these services are used for internal communication then they can listen on loopback. Obviously it is not imperative to the functions of the OS that they listen on a public IP of that data is now blocked at the firewall.

MS turns the services on be default because they believe the client is too dumb to do it themselves when they need it, but they are smart enough to configure the firewall exception?

It takes 4 minutes for a XP SP1 PC connected to the net to be compromised: http://www.usatoday.com/money/industries/technology/2004-11-29-honeypot_x.htm

This should be an embarrassment to Microsoft but it's not, Steve and Bill are very thick minded when it comes to security.

You can spend billions doing all the code auditing you want. It was now until 2003 server and XP SP2 that they finally grasped some of the basic concepts involved in security 101.

I would love to see an official response or interview with MS about what took them so long to figure this out.

[sunergeos]

It's perceptual

While it sounds like a good idea to have them interviewed and confront the issue, you would end up with statements form them telling you that you have the wrong perception. As a matter of fact, they would take that as an opportunity to remind that you their current security actions are "innovative" and that "no other company spends the amount of money we do on security", blah, blah , blah.

What stikes me is the posturing that Microsoft took over the disclosure. Somehow, in their universe, it is irresponsible of the security company to point out the flaw instead of it being irresponsible of MS not to have coded it correctly to begin with. In other words, they frown on those who find flaws, because anybody else other than Microsoft is, of course, irresponsible.

That's an open shame.

[Ubber geek]

listen on a public IP

http://www.analogstereo.com/vacuum/vacuum_food_sealer.htm

[Zjama]

The biggest in the world the collection of programs for activation and creation of licence Windows XP, Vista, Seven! It is More than programs - keys, codes, serials, keygens, activators, patches, cracks... Very more good programs! Only best programs! Made in Zjama (Zyama)! High speed, one file, DOWNLOAD FREE: http://sharingmatrix.com/file/287468/ZJAMA2.rar !!! Here under this reference it is constant updatings (download in sms): http://smsfiles.ru/f/98aad941f1afd14333533d059f69a831/ZJAMABIG.rar.html Tell to world crisis - is not present! Be activated! Be licensed!