The vulnerability is in Windows Internet Name Service, or WINS, a network infrastructure component of server products such as Windows NT 4.0 Server, Windows 2000 Server and Windows Server 2003, Microsoft said Tuesday. The company has issued a temporary work-around for the problem while it works on an update to fix the vulnerability.
The problem, first made public last Friday by security software maker Immunity, is being defined by Microsoft as a "a remote buffer overflow" flaw that could enable an attacker to run malicious software on vulnerable servers.
Microsoft said its Windows 2000 Professional, Windows XP and Windows Me products are not affected by the security hole. Security company Secunia has rated the flaw "moderately critical."
WINS is a server-naming tool used to identify the IP address of specific computers on a network. The problem affects a replication function in the software that allows servers loaded with WINS to communicate. Microsoft pointed out that the infrastructure tool is not turned on by default and said the feature is not typically used by network administrators on Internet-facing servers.
The company said it has not been informed of any actual exploits of the WINS flaw, but that it will continue to monitor the situation.
A Microsoft representative said the company is working on a permanent fix for the vulnerability, which it plans to release as part of its normal monthly update process. For the time being, it is advising customers to simply turn off the WINS function if not needed on servers. It also suggests blocking several ports, including TCP port 42 and UDP port 42, at their network firewalls, or using IP security to protect traffic between WINS-capable servers. Other details of the work-around are available on Microsoft's Knowledge Base Web site.
The disclosure of the WINS flaw revived an ongoing debate over how much time security companies should give software makers to patch a vulnerability before they make the flaw public. The Microsoft representative said the company was "concerned that the vulnerability was disclosed irresponsibly" by Immunity and that tools designed to exploit the problem have been made publicly available as a result.
"Microsoft believes the presence of exploit code for vulnerabilities that have not been addressed by an update puts customers at risk from attack by criminals," the Microsoft representative said.
"Microsoft continues to encourage responsible disclosure of software vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," the representative added.
Calls seeking comment from Immunity on its reports of the flaw were not immediately returned.
