Microsoft downplays Server bug threat, say researchers
Admins might not even know the vulnerable WINS component is installed
Computerworld - Microsoft is downplaying the threat posed by one of the three bugs the company patched today, said security researchers.
The update in question, MS11-035, patches a single vulnerability in WINS (Windows Internet Name Service), a component in every supported edition of Windows Server, including Server 2003, 2008 and the newest, Server 2008 R2.
Attackers could exploit the WINS bug by crafting a malicious data packet, then shooting it at a vulnerable Windows Server box.
What irked researchers is that although Microsoft rated the bug as "critical," the company's highest threat ranking, it also pointed out that WINS is not installed by default, citing that as a mitigation factor.
While true, that overlooks the fact that many networks, especially larger ones in enterprises and government agencies, have WINS installed.
"Most organizations have to install WINS," said Marcus Carey, Rapid7's enterprise security community manager. "With governments and big agencies -- any large network -- WINS is going to be running."
That's because WINS -- Microsoft's name server for Windows networks -- is required for many older third-party or custom-built applications, called "legacy" programs, said Andrew Storms, director of security operations at nCircle Security. "There's so much legacy that relies on WINS [that] our gut instinct is that most will have it installed in the data center," said Storms.
Like Carey, Storms said Microsoft, intentionally or not, softened the warning by telling customers WINS isn't installed by default. "They seem to be downplaying it," Storms said. "It is a network-based remote code possibility, so it comes with some trepidation."
Jason Miller, the data and security team manager for Shavlik Technologies, agreed. "There are more networks with WINS than most people think," he said. "Not only do some very-old legacy applications require it, but some admins, those who inherited a network or those with less tech savvy, may not even know it's installed."
Because Microsoft last patched WINS in 2009, it's possible that the component is active without admins knowing it, Miller argued.
One researcher, however, said Microsoft wasn't downplaying the WINS bug.
"Yes, the vulnerability is remote code executable," said the manager of Qualys' vulnerability research lab. "But I don't think they're trying to downplay it. WINS is not really needed anymore, unless you have some really old software, like SQL Server 2000."
Carey, Storms, Miller and Sarwate all believe that attackers will focus on the WINS vulnerability.
"This is a big deal," said Carey. "There's not an active exploit for this as far as we know, but if attackers are on the top of their game, they could have one in a week or less."
Carey said that hackers could use fuzzers -- tools that hammer at an application looking for a weakness -- to quickly locate the flaw in WINS. "We think it will be easy to do, and that they'll figure it out quickly," he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts