List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] Microsoft Security Bulletin MS09-039 - Critical: Vulnerabilities in WINS Could Allow Remote Code Execution (969883):

Prev Next

You are not authorized to post a reply.

Author

Messages

Bitzie

Posts:188

08/12/2009 9:09 AM
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> </head> <body bgcolor="#ffffff" text="#000000"> Microsoft Security Bulletin MS09-039 - Critical: Vulnerabilities in WINS Could Allow Remote Code Execution (969883): <a class="moz-txt-link-freetext" href="http://www.microsoft.com/technet/security/Bulletin/MS09-039.mspx">http://www.microsoft.com/technet/security/Bulletin/MS09-039.mspx</a> Security Research & Defense : MS09-039: More information about the WINS security bulletin: <a class="moz-txt-link-freetext" href="http://blogs.technet.com/srd/archive/2009/08/11/ms09-039-more-information-about-the-wins-security-bulletin.aspx">http://blogs.technet.com/srd/archive/2009/08/11/ms09-039-more-information-about-the-wins-security-bulletin.aspx</a> <p>This morning, we released security update <a href="http://www.microsoft.com/technet/security/bulletin/MS09-039.mspx" mce_href="http://www.microsoft.com/technet/security/bulletin/MS09-039.mspx">MS09-039</a> addressing vulnerabilities in the Microsoft Windows Internet Name Service (WINS). In this blog post, we’d like to help you understand the following:</p> <ul> <li>What is the risk of this vulnerability? </li> <li>Why is it rated Critical? </li> <li>What is Microsoft doing to prevent a “WINS worm?” </li> <li>What you can do to protect your environment?</li> </ul> <p><b>What is the risk of this vulnerability?</b></p> <p>A remote, anonymous attacker could use CVE-2009-1923 (addressed by MS09-039) to force wins.exe to under-allocate a buffer and copy in attacker-controlled data. This could lead to heap corruption and potential code execution as SYSTEM. Therefore, it is important to apply this security update to affected servers.</p> <p><b>Why is it rated Critical?</b></p> <p>The last WINS security update addressing a remote code execution vulnerability was MS04-045, shipped in December 2004. MS04-045 addressed a remote code execution security vulnerability rated “Important.” The mitigating factor dropping the rating from the maximum “Critical” rating down to “Important” was the fact that WINS is not installed by default. MS09-039 has the same mitigating factor – WINS is still not installed by default. However, the most recent Security Development Lifecycle (SDL) bug bar has changed how we rate components necessary for critical infrastructure. Security bulletins affecting critical components on enterprise networks are no longer down-rated for being off by default. We know that enterprise networks will have WINS so while the mitigating factor applies, it does not change the bulletin severity.</p> <p><b>What is Microsoft doing to prevent a “WINS worm”?</b></p> <p>This vulnerability is fairly easily detectable on the wire. Microsoft has shared network detection guidance and sample vulnerability triggers with all our <a href="http://www.microsoft.com/security/msrc/collaboration/mapppartners.aspx" mce_href="http://www.microsoft.com/security/msrc/collaboration/mapppartners.aspx">Microsoft Active Protections Program (MAPP) partners</a>. They will be able to use this information to successfully build robust network signatures to detect and block attempts to exploit this vulnerability. If you cannot immediately apply the WINS security update to affected servers, we encourage you to roll out detection updates from your protection provider as they become available.</p> <p><b>What you can do to protect your environment?</b></p> <p>Any potential attacks against the vulnerabilities addressed by security update MS09-039 will arrive on TCP or UDP port 42. Block those ports at your perimeter firewall to prevent Internet-based attacks. Most enterprise networks require WINS internally so you’ll need to allow access from legitimate network workstations needing to resolve internal names.</p> <p>Hopefully this information helps you assess the risk of potential attacks against the vulnerabilities addressed by MS09-039</p> </body> </html>

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Microsoft Security Bulletin MS09-039 - Critical: Vulnerabilities in WINS Could Allow Remote Code Execution (969883):

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads