Microsoft downplays Server bug threat, say researchers

Admins might not even know the vulnerable WINS component is installed

Microsoft is downplaying the threat posed by one of the three bugs the company patched today, said security researchers.

The update in question, MS11-035, patches a single vulnerability in WINS (Windows Internet Name Service), a component in every supported edition of Windows Server, including Server 2003, 2008 and the newest, Server 2008 R2.

Attackers could exploit the WINS bug by crafting a malicious data packet, then shooting it at a vulnerable Windows Server box.

What irked researchers is that although Microsoft rated the bug as "critical," the company's highest threat ranking, it also pointed out that WINS is not installed by default, citing that as a mitigation factor.

While true, that overlooks the fact that many networks, especially larger ones in enterprises and government agencies, have WINS installed.

"Most organizations have to install WINS," said Marcus Carey, Rapid7's enterprise security community manager. "With governments and big agencies -- any large network -- WINS is going to be running."

That's because WINS -- Microsoft's name server for Windows networks -- is required for many older third-party or custom-built applications, called "legacy" programs, said Andrew Storms, director of security operations at nCircle Security. "There's so much legacy that relies on WINS [that] our gut instinct is that most will have it installed in the data center," said Storms.

Like Carey, Storms said Microsoft, intentionally or not, softened the warning by telling customers WINS isn't installed by default. "They seem to be downplaying it," Storms said. "It is a network-based remote code possibility, so it comes with some trepidation."

Jason Miller, the data and security team manager for Shavlik Technologies, agreed. "There are more networks with WINS than most people think," he said. "Not only do some very-old legacy applications require it, but some admins, those who inherited a network or those with less tech savvy, may not even know it's installed."

Because Microsoft last patched WINS in 2009, it's possible that the component is active without admins knowing it, Miller argued.

One researcher, however, said Microsoft wasn't downplaying the WINS bug.

"Yes, the vulnerability is remote code executable," said the manager of Qualys' vulnerability research lab. "But I don't think they're trying to downplay it. WINS is not really needed anymore, unless you have some really old software, like SQL Server 2000."

Carey, Storms, Miller and Sarwate all believe that attackers will focus on the WINS vulnerability.

"This is a big deal," said Carey. "There's not an active exploit for this as far as we know, but if attackers are on the top of their game, they could have one in a week or less."

Carey said that hackers could use fuzzers -- tools that hammer at an application looking for a weakness -- to quickly locate the flaw in WINS. "We think it will be easy to do, and that they'll figure it out quickly," he said.

The most likely attack would not be against a Windows Server directly, but against a desktop or notebook PC within the network, Carey continued. "They could exploit a client [with another vulnerability] then pivot the attack to the server," he said. Once a hacker compromised a Windows Server system, he could pillage the machine for confidential information, account log-in credentials and the like.

"I think this will be packaged with a number of other vulnerabilities," said Miller, talking about the possible use of the flaw. "Servers are a prime target."

Microsoft urged network administrators to patch the WINS vulnerability as soon as possible.

"The nice thing is that this is a light month," said Miller. "It should give everyone a chance to get ahead of the game."

That's especially important considering Microsoft's schedule, which ships a larger number of updates in even-numbered months. "We'll probably be back to [updates in] double-digits in June," said Storms.

Today's other update, dubbed MS11-036, patches a pair of bugs in PowerPoint, the presentation manager included with Microsoft's Office suite. One of the vulnerabilities affects Office XP, Office 2003 and Office 2007 on Windows, Office for Mac 2004 and Office for Mac 2008. The second impacts only Office XP and Office 2003.

Neither of the bugs exists within the newest versions, Office 2010 on Windows or Office for Mac 2011.

"This one is in line with the general file format vulnerabilities we see almost every month," said Storms.

Storms' comment was on the mark: Microsoft patched three PowerPoint vulnerabilities in April, and two in November 2010.

Tuesday's patch for PowerPoint 2002 -- the version bundled with Office XP -- may be one of the last for that program: The 10-year-old suite will not receive security updates after July 12.

Microsoft also made good on a promise last week when it said it would tweak its Exploitability Index, the rating system that forecasts the likelihood a vulnerability will be exploited in the coming month.

Today's index showed separate ratings for the newest editions of its software and the older versions.

Microsoft rated the exploitability of the WINS bug as a "2," indicating that it believed that "inconsistent exploit code [is] likely" to appear in the next 30 days.

Today's patches can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?