Suspicious probes target WINS servers |
 |
By Bill Brenner, News Writer
04 Jan 2005 | SearchSecurity.com |
|
|
Those who haven't patched their Windows Internet Naming Service (WINS) servers might want to get on it now.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) said it and other organizations have seen a sharp uptick in probes against WINS servers since Dec. 31.
"So, if you have not patched your WINS servers in respective companies or campuses, beware," ISC handler Scott Fendley said in a Monday Web diary. "Patching these systems is now overdue. Additionally, WINS services probably should not cross your border router. So please block these ports and keep the rif-raf out in case your local Windows server admins have not patched for this over the holidays."
He added that anyone who has captured packets of this activity should forward it to the ISC for analysis.
The Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) has graphs showing "the marked increases in probes on Internet2 via the Abilene network netflows," said Fendley, who is also chief IT security analyst for the University of Arkansas in Fayetteville.
|
What's the threat? |
An attacker who successfully exploits the flaws in unpatched machines could take over the system to install programs; view, change or delete data; or create new accounts with full privileges. |
|
|
|
|
Microsoft issued fixes for the WINS security holes last month. The software giant labeled the vulnerabilities "important" and described them as problems in how WINS handles computer name validation and association context validation.
An attacker who successfully exploits the flaws in unpatched machines could take over the system to install programs; view, change or delete data; or create new accounts with full privileges.
Microsoft offered potential workarounds for those who are unable to patch systems immediately: Users can block TCP port 42 and UDP port 42 at the firewall or remove WINS altogether if it isn't needed.
|
