Microsoft Corp. is investigating a security flaw in Windows server software that could allow an attacker to gain complete control over systems running the software, the company said.
The flaw lies in the Windows Internet Name Service (WINS), a network infrastructure component in Windows NT Server 4.0, Windows 2000 Server and Windows Server 2003. WINS provides a distributed database for registering and querying dynamic computer name-to-IP address mapping in a routed network.
Windows 2000 Professional, Windows XP and Windows Millennium Edition also contain WINS but are not affected by this security issue, Microsoft said.
By default, WINS is installed only on the Small Business Server editions of Windows 2000 Server and Windows Server 2003, according to Microsoft. However, in both cases WINS is available only on the local network and not from the Internet, the vendor said in an article on its Web site that described the problem.
Microsoft plans to offer an update to protect against this flaw as part of its monthly update cycle. Meanwhile, the vendor advises users to protect their systems by blocking TCP port 42 and UDP port 42 on their firewall, removing WINS if it is not needed or using IPSec (Internet Protocol Security) to protect traffic between WINS servers.
As of last Friday, Microsoft had not received reports of any successful attacks against customers as a result of this vulnerability, the company said.
Details of the WINS flaw were first published last Friday on the BugTraq mailing list by security company Immunity Inc.
More information on the flaw and Microsoft’s temporary fix can be found at: http://support.microsoft.com/kb/890710