News

WINS Exploit Posted

• By Scott Bekker
• November 29, 2004

"There is some activity with irresponsible released exploits against WINS. As a precaution [until] Microsoft gets a chance to release a patch for it, we can only reiterate the urgent and continued need to make sure you block the unneeded ports in your firewalls (either the XP2 or the corporate firewall)," the SANS Insitute handler on duty wrote in the security training company's daily security diary on Sunday.

Candidate ports for lockdown are port 42, 137-139 and 445, both TCP and UDP.

While it's unclear how big of a threat the vulnerability poses, the existence of exploit code makes the issue worth taking seriously. Microsoft's next Patch Tuesday, the day each month when the company releases all of its security patches, doesn't fall until Dec. 14.

A Microsoft spokesperson said, "Microsoft is currently already working on providing an update to address this vulnerability as part of our normal monthly update process. As soon as this update has reached an appropriate level of quality so that customers may deploy it with confidence, Microsoft will provide the update through Windows Update, either through the monthly release process or as an out-of-band update depending on quality and customer needs."

WINS stands for Windows Internet Naming Service. The service translates NetBIOS names, the easily remembered Windows machine names, to corresponding IP addresses. Microsoft has been phasing the technology out since launching Windows 2000, but the service remains fairly common.

The Microsoft spokesperson noted that WINS is not enabled by default and isn't normally configured on Internet facing servers. The spokesperson said Microsoft has not been made aware of any active exploits or customer impacts so far.

Microsoft has a Knowledge Base article (890710) about the issue at http://support.microsoft.com/kb/890710.