Users of Windows Internet Name Service (WINS) can cut off two potential attack vectors or simply remove the program to get around a security hole that could be exploited to launch malicious code, Microsoft said. But the software giant has yet to address a newly reported vulnerability in Internet Explorer.
Microsoft issued an advisory over the weekend saying it is investigating reports of a security issue with WINS affecting the NT 4.0 Server, NT Server 4.0 Terminal Server Edition, Windows 2000 Server and Windows Server 2003. Windows 2000 Professional, XP and ME are not vulnerable.
"This security issue could make it possible for an attacker to take control of a WINS server remotely," the company said. "As of Nov. 26, Microsoft is not aware of this security issue affecting any customers."
Microsoft said it will continue to investigate the problem and "determine the appropriate steps to help protect customers." In the meantime, there are two steps users can take to protect their systems:
Block TCP port 42 and UDP 42 at the firewall.
Microsoft noted these ports are used to initiate a connection with a remote WINS server and that "blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability." The company warned that it's possible other ports could also be used as attack vectors. "The ports that are listed are the most common attack vectors. We recommend blocking all incoming unsolicited communication from the Internet," Microsoft said.
Remove WINS if you don't need it.
"In many organizations, WINS only provides services for legacy systems," Microsoft said. If WINS is no longer needed, the advisory offers directions for removing it.
Danish security firm Secunia said the "moderately critical" vulnerability is caused by an error within WINS during the handling of replication packets. "This can be exploited to write 16 bytes to an arbitrary memory location by sending a specially crafted WINS replication packet to a vulnerable server," the firm said in its advisory. "Successful exploitation allows execution of arbitrary code."
Secunia credited Immunity Inc. researcher Nicolas Waisman with discovering the problem, and the New York firm has issued its own advisory, complete with exploit details. In an e-mail, Immunity founder Dave Aitel said of the vulnerability: "I would say it's a severe vulnerability [remote root, essentially] in a fairly rare service that is sometimes installed on servers. The exploit we have is reliable, meaning it will get you in almost all the time, assuming that service is available for connections from the Internet."
As Microsoft prepared to release the workaround tips over the weekend, Secunia issued an advisory detailing a new vulnerability in Internet Explorer.
Researcher "cyber flash" discovered the vulnerability. It is caused by "Internet Explorer using the file extension from the URL's filename when saving images with the 'save picture as' command," the advisory said. It "also strips the last file extension if multiple file extensions exist. This can be exploited by a malicious Web site to cause a valid image with malicious, embedded script code to be saved with an arbitrary file extension."
Successful exploitation could allow a malicious Web site to trick users into downloading a malicious HTML application disguised as a valid image, Secunia said. Exploitation requires that the "hide extension for known file types" option be enabled, however.
The vulnerability was confirmed on a fully patched system with Internet Explorer 6 and Windows XP SP2, and proof-of-concept code is publicly available, Secunia said.
Users are advised to disable the "hide extension for known file types" option.
Microsoft had not returned a request for comment at the time of writing.