This morning, we released security update MS09-039 addressing vulnerabilities in the Microsoft Windows Internet Name Service (WINS). In this blog post, we’d like to help you understand the following:

  • What is the risk of this vulnerability?
  • Why is it rated Critical?
  • What is Microsoft doing to prevent a “WINS worm?”
  • What you can do to protect your environment?

What is the risk of this vulnerability?

A remote, anonymous attacker could use CVE-2009-1923 (addressed by MS09-039) to force wins.exe to under-allocate a buffer and copy in attacker-controlled data. This could lead to heap corruption and potential code execution as SYSTEM. Therefore, it is important to apply this security update to affected servers.

Why is it rated Critical?

The last WINS security update addressing a remote code execution vulnerability was MS04-045, shipped in December 2004. MS04-045 addressed a remote code execution security vulnerability rated “Important.” The mitigating factor dropping the rating from the maximum “Critical” rating down to “Important” was the fact that WINS is not installed by default. MS09-039 has the same mitigating factor – WINS is still not installed by default. However, the most recent Security Development Lifecycle (SDL) bug bar has changed how we rate components necessary for critical infrastructure. Security bulletins affecting critical components on enterprise networks are no longer down-rated for being off by default. We know that enterprise networks will have WINS so while the mitigating factor applies, it does not change the bulletin severity.

What is Microsoft doing to prevent a “WINS worm”?

This vulnerability is fairly easily detectable on the wire. Microsoft has shared network detection guidance and sample vulnerability triggers with all our Microsoft Active Protections Program (MAPP) partners. They will be able to use this information to successfully build robust network signatures to detect and block attempts to exploit this vulnerability. If you cannot immediately apply the WINS security update to affected servers, we encourage you to roll out detection updates from your protection provider as they become available.

What you can do to protect your environment?

Any potential attacks against the vulnerabilities addressed by security update MS09-039 will arrive on TCP or UDP port 42. Block those ports at your perimeter firewall to prevent Internet-based attacks. Most enterprise networks require WINS internally so you’ll need to allow access from legitimate network workstations needing to resolve internal names.

Hopefully this information helps you assess the risk of potential attacks against the vulnerabilities addressed by MS09-039.

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*