Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

WINS attacks now in the wild

Apply patch right away, sysadmins warned.

By John Fontana | Network World US | Published: 08:15, 19 August 2009

The "critical" WINS vulnerability that Microsoft issued a patch for last week is now being exploited actively in the wild, according to the SANS Institute.

The Internet Storm Center (ISC), which is operated by SANS, is receiving preliminary reports that hackers are targeting Microsoft's WINS service on Windows NT, 2000 and 2003 servers.

WINS is a central mapping of host names to network addresses and lets users find computers on a network.

Last week, Microsoft issued patch MS09-039 to close the WINS vulnerability, which could allow remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a Windows replications packet sent to TCP Port 42.

Data collected by the ISC shows that over the past few days Internet activity associated with Port 42 has risen dramatically.MS09-039 was issued on Aug. 11 when ISC was reporting roughly zero targets per day in association with Port 42 activity. By Aug. 13 that number had spiked to around 30,000, and by 16 August the number was 70,000.

Microsoft reported on its Exploitability Index, which is calculated for each patch released, that there is a high likelihood of "consistent exploit code" for the WINS vulnerability on Windows 2000 Service Pack 4. For the other affected platforms, Windows Server NT and 2003, Microsoft said that "inconsistent exploit code" was likely.

Eric Schultze, CTO for Shavlik Technologies, said last week that the WINS issue "is an unauthenticated server-side attack - the bad guy simply points and shoots some packets at the WINS server and they can execute code of their choice on that server." He noted, however, that the attack is most likely to come from inside a user's network because the necessary port - Port 42 - to execute the attack is usually blocked at the Internet firewall.

Regardless, his recommendation was to "patch this right away on your WINS servers."

Andrew Storms, director of security operations for nCircle, also said last week that the WINS vulnerability could become a "potential worm vector."

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.